Echo Security Advisory 2005.14

2005-06-18T00:00:00
ID PACKETSTORM:38097
Type packetstorm
Reporter Echo Security
Modified 2005-06-18T00:00:00

Description

                                        
                                            ` .OR.ID  
ECHO_ADV_14$2005  
  
---------------------------------------------------------------------------  
Multiple Vulnerabilities in Liberum Help Desk  
---------------------------------------------------------------------------  
  
Author: Dedi Dwianto  
Date: June, 02nd 2005  
Location: Indonesia, Jakarta  
Web: http://echo.or.id/adv/adv14-theday-2005.txt  
  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application : Liberum Help Desk  
version: >0.97.3  
url : http://www.liberum.org  
Author: Liberum  
Description:   
  
Liberum Help Desk is the complete help desk solution for small to medium sized businesses and organizations.   
This software provides a simple, easy to use web interface for managing and tracking technical support problems.  
This Software vulnerable Cross-Site Scripting and SQL Injection in many pages.  
  
---------------------------------------------------------------------------  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~  
  
A. Cross-Site Scripting (XSS)  
  
* File castnewPost.asp  
  
http://[url]/liberum/castnewPost.asp  
  
Hole In Input Form  
Problem Script castnewPost.asp  
  
--------------  
...  
...  
strAltEmail = Request.Form("tbxAltEmail")  
strTitle = Request.Form("tbxTitle")  
strDescription = Request.Form("txtDescription")  
strResolution = Request.Form("txtResolution")  
...  
...  
Set objCase = New clsCase  
...  
.Title = strTitle  
.Description = strDescription  
.Resolution = strResolution  
.AltEMail = strAltEmail  
...  
--------------  
This Script Allow User to Input html Character in newpost.asp page Without Filter.  
For Example Input data like :  
- Email : <b>dudul@test.com</b>   
- Title : <b>test<script>alert('dudul')</script></b>  
- Description : <b>test<script>alert('dudul')</script></b>  
  
Etc  
  
* FIle CaseModifyPost.asp  
Hole In Input Form  
Problem Script castnewPost.asp  
  
--------------  
...  
...  
strAltEmail = Request.Form("tbxAltEmail")  
strTitle = Request.Form("tbxTitle")  
strDescription = Request.Form("txtDescription")  
strResolution = Request.Form("txtResolution")  
...  
...  
Set objCase = New clsCase  
...  
.Title = strTitle  
.Description = strDescription  
.Resolution = strResolution  
.AltEMail = strAltEmail  
...  
--------------  
  
  
B. SQL Injection  
  
Multiple SQL Injection some pages.  
  
- http://[url]/liberum/view.asp?id='[SQL Injection]  
- http://[url]/liberum/register.asp?edit='[SQL Injection]   
- http://[url]/liberum/print.asp?id='[SQL Injection]  
  
  
Problem Script   
* clsListitem.asp  
---------------   
...  
intPage = CInt(Request.Querystring("Page"))  
...  
Public Property Get ID() ' As Long  
ID = m_ID  
End Property  
  
Public Property Let ID(f_ID)  
If IsNumeric(f_ID) Then  
m_ID = f_ID  
End If  
End Property  
...  
...  
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID  
Set rsList = Server.CreateObject("ADODB.RecordSet")  
rsList.Open strQuery, m_cnnDB  
...  
---------------   
  
* clscategory.asp  
---------------   
...  
intPage = CInt(Request.Querystring("Page"))  
...  
Public Property Get ID() ' As Long  
ID = m_ID  
End Property  
  
Public Property Let ID(f_ID)  
If IsNumeric(f_ID) Then  
m_ID = f_ID  
End If  
End Property  
...  
...  
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID  
Set rsList = Server.CreateObject("ADODB.RecordSet")  
rsList.Open strQuery, m_cnnDB  
...  
---------------   
  
  
  
C. Solution  
Using Replace String and make script for validate input form For Filter some character  
- castnewPost.asp   
  
* Add This Code After <HEAD>  
----- Begin  
<SCRIPT LANGUAGE="JavaScript">  
  
function validate() {  
var badstring = ('<','>','\'','\"','*','#','=','&','\\',';',':'); // Invalid character is a space  
  
//check form email  
if (document.frmNew.AltEmail.value = validate) {  
alert('Bad Characters.');  
document.frmNew.AltEmail.focus();  
return false;   
}  
//check form Title  
if (document.frmNew.AltTitle.value = badstring) {  
alert('Bad Characters.');  
document.frmNew.AltTitle.focus();  
return false;  
}   
//check form Description  
if (document.frmNew.AltDescription.value = badstring) {  
alert('Bad Characters.');  
document.frmNew.AltDescription.focus();  
return false;  
}  
//check form Resolution  
if (document.frmNew.AltResolution.value = badstring) {  
alert('Bad Characters.');  
document.frmNew.AltResolution.focus();  
return false;  
}  
else {   
  
return true;  
}  
}  
}  
</script>  
----- EOF  
  
* Add Code For Call that function in tag Form  
find :  
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew">  
replace  
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew" onsubmit="return validate()">  
  
* Add validate script into all pages for filter XSS  
  
* Filter For SQL Injection  
Find :  
...  
Public Property Let ID(f_ID)  
If IsNumeric(f_ID) Then  
m_ID = f_ID  
...  
Replace  
...  
Public Property Let ID(f_ID)  
If IsNumeric(f_ID) Then  
m_ID = f_ID   
f_ID = Replace("f_ID","'","")  
...  
  
---------------------------------------------------------------------------  
  
Shoutz:  
~~~~~~~  
  
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous  
~ Lieur Euy , MSR  
~ newbie_hacker@yahoogroups.com ,  
~ #e-c-h-o@DALNET  
  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
the_day || echo|staff || the_day[at]echo[dot]or[dot]id  
Homepage: http://theday.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
`