Vulners
Lucene search
Echo Security Advisory 2005.14
` .OR.ID
ECHO_ADV_14$2005
---------------------------------------------------------------------------
Multiple Vulnerabilities in Liberum Help Desk
---------------------------------------------------------------------------
Author: Dedi Dwianto
Date: June, 02nd 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv14-theday-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Liberum Help Desk
version: >0.97.3
url : http://www.liberum.org
Author: Liberum
Description:
Liberum Help Desk is the complete help desk solution for small to medium sized businesses and organizations.
This software provides a simple, easy to use web interface for managing and tracking technical support problems.
This Software vulnerable Cross-Site Scripting and SQL Injection in many pages.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross-Site Scripting (XSS)
* File castnewPost.asp
http://[url]/liberum/castnewPost.asp
Hole In Input Form
Problem Script castnewPost.asp
--------------
...
...
strAltEmail = Request.Form("tbxAltEmail")
strTitle = Request.Form("tbxTitle")
strDescription = Request.Form("txtDescription")
strResolution = Request.Form("txtResolution")
...
...
Set objCase = New clsCase
...
.Title = strTitle
.Description = strDescription
.Resolution = strResolution
.AltEMail = strAltEmail
...
--------------
This Script Allow User to Input html Character in newpost.asp page Without Filter.
For Example Input data like :
- Email : <b>[email protected]</b>
- Title : <b>test<script>alert('dudul')</script></b>
- Description : <b>test<script>alert('dudul')</script></b>
Etc
* FIle CaseModifyPost.asp
Hole In Input Form
Problem Script castnewPost.asp
--------------
...
...
strAltEmail = Request.Form("tbxAltEmail")
strTitle = Request.Form("tbxTitle")
strDescription = Request.Form("txtDescription")
strResolution = Request.Form("txtResolution")
...
...
Set objCase = New clsCase
...
.Title = strTitle
.Description = strDescription
.Resolution = strResolution
.AltEMail = strAltEmail
...
--------------
B. SQL Injection
Multiple SQL Injection some pages.
- http://[url]/liberum/view.asp?id='[SQL Injection]
- http://[url]/liberum/register.asp?edit='[SQL Injection]
- http://[url]/liberum/print.asp?id='[SQL Injection]
Problem Script
* clsListitem.asp
---------------
...
intPage = CInt(Request.Querystring("Page"))
...
Public Property Get ID() ' As Long
ID = m_ID
End Property
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
End If
End Property
...
...
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
Set rsList = Server.CreateObject("ADODB.RecordSet")
rsList.Open strQuery, m_cnnDB
...
---------------
* clscategory.asp
---------------
...
intPage = CInt(Request.Querystring("Page"))
...
Public Property Get ID() ' As Long
ID = m_ID
End Property
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
End If
End Property
...
...
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
Set rsList = Server.CreateObject("ADODB.RecordSet")
rsList.Open strQuery, m_cnnDB
...
---------------
C. Solution
Using Replace String and make script for validate input form For Filter some character
- castnewPost.asp
* Add This Code After <HEAD>
----- Begin
<SCRIPT LANGUAGE="JavaScript">
function validate() {
var badstring = ('<','>','\'','\"','*','#','=','&','\\',';',':'); // Invalid character is a space
//check form email
if (document.frmNew.AltEmail.value = validate) {
alert('Bad Characters.');
document.frmNew.AltEmail.focus();
return false;
}
//check form Title
if (document.frmNew.AltTitle.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltTitle.focus();
return false;
}
//check form Description
if (document.frmNew.AltDescription.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltDescription.focus();
return false;
}
//check form Resolution
if (document.frmNew.AltResolution.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltResolution.focus();
return false;
}
else {
return true;
}
}
}
</script>
----- EOF
* Add Code For Call that function in tag Form
find :
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew">
replace
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew" onsubmit="return validate()">
* Add validate script into all pages for filter XSS
* Filter For SQL Injection
Find :
...
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
...
Replace
...
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
f_ID = Replace("f_ID","'","")
...
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ [email protected] ,
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2005 00:00Current
0.3Low risk
Vulners AI Score0.3