Lucene search
Echo SecurityPACKETSTORM:38097HistoryJun 18, 2005 - 12:00 a.m.
Echo Security Advisory 2005.14
2005-06-1800:00:00
Echo Security
packetstormsecurity.com
24
` .OR.ID
ECHO_ADV_14$2005
---------------------------------------------------------------------------
Multiple Vulnerabilities in Liberum Help Desk
---------------------------------------------------------------------------
Author: Dedi Dwianto
Date: June, 02nd 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv14-theday-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Liberum Help Desk
version: >0.97.3
url : http://www.liberum.org
Author: Liberum
Description:
Liberum Help Desk is the complete help desk solution for small to medium sized businesses and organizations.
This software provides a simple, easy to use web interface for managing and tracking technical support problems.
This Software vulnerable Cross-Site Scripting and SQL Injection in many pages.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross-Site Scripting (XSS)
* File castnewPost.asp
http://[url]/liberum/castnewPost.asp
Hole In Input Form
Problem Script castnewPost.asp
--------------
...
...
strAltEmail = Request.Form("tbxAltEmail")
strTitle = Request.Form("tbxTitle")
strDescription = Request.Form("txtDescription")
strResolution = Request.Form("txtResolution")
...
...
Set objCase = New clsCase
...
.Title = strTitle
.Description = strDescription
.Resolution = strResolution
.AltEMail = strAltEmail
...
--------------
This Script Allow User to Input html Character in newpost.asp page Without Filter.
For Example Input data like :
- Email : <b>[email protected]</b>
- Title : <b>test<script>alert('dudul')</script></b>
- Description : <b>test<script>alert('dudul')</script></b>
Etc
* FIle CaseModifyPost.asp
Hole In Input Form
Problem Script castnewPost.asp
--------------
...
...
strAltEmail = Request.Form("tbxAltEmail")
strTitle = Request.Form("tbxTitle")
strDescription = Request.Form("txtDescription")
strResolution = Request.Form("txtResolution")
...
...
Set objCase = New clsCase
...
.Title = strTitle
.Description = strDescription
.Resolution = strResolution
.AltEMail = strAltEmail
...
--------------
B. SQL Injection
Multiple SQL Injection some pages.
- http://[url]/liberum/view.asp?id='[SQL Injection]
- http://[url]/liberum/register.asp?edit='[SQL Injection]
- http://[url]/liberum/print.asp?id='[SQL Injection]
Problem Script
* clsListitem.asp
---------------
...
intPage = CInt(Request.Querystring("Page"))
...
Public Property Get ID() ' As Long
ID = m_ID
End Property
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
End If
End Property
...
...
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
Set rsList = Server.CreateObject("ADODB.RecordSet")
rsList.Open strQuery, m_cnnDB
...
---------------
* clscategory.asp
---------------
...
intPage = CInt(Request.Querystring("Page"))
...
Public Property Get ID() ' As Long
ID = m_ID
End Property
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
End If
End Property
...
...
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
Set rsList = Server.CreateObject("ADODB.RecordSet")
rsList.Open strQuery, m_cnnDB
...
---------------
C. Solution
Using Replace String and make script for validate input form For Filter some character
- castnewPost.asp
* Add This Code After <HEAD>
----- Begin
<SCRIPT LANGUAGE="JavaScript">
function validate() {
var badstring = ('<','>','\'','\"','*','#','=','&','\\',';',':'); // Invalid character is a space
//check form email
if (document.frmNew.AltEmail.value = validate) {
alert('Bad Characters.');
document.frmNew.AltEmail.focus();
return false;
}
//check form Title
if (document.frmNew.AltTitle.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltTitle.focus();
return false;
}
//check form Description
if (document.frmNew.AltDescription.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltDescription.focus();
return false;
}
//check form Resolution
if (document.frmNew.AltResolution.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltResolution.focus();
return false;
}
else {
return true;
}
}
}
</script>
----- EOF
* Add Code For Call that function in tag Form
find :
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew">
replace
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew" onsubmit="return validate()">
* Add validate script into all pages for filter XSS
* Filter For SQL Injection
Find :
...
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
...
Replace
...
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
f_ID = Replace("f_ID","'","")
...
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ [email protected] ,
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
`