Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSubPACKETSTORM:63208
HistoryFeb 03, 2008 - 12:00 a.m.

eds-sql.txt

2008-02-0300:00:00
sub
packetstormsecurity.com
15
JSON
`Application: The Everything Development System  
Version(s): <= Pre-1.0 (current version at time of release)  
Author: sub < [email protected] >  
Released: 2/1/2008  
  
There exists a vulnerability in The Everything Development Engine that  
allows a user to inject their own SQL to modify a SELECT query, leading  
to information disclosure, XSS, or privilege escalation. What's more,  
passwords are stored in the database as plaintext, making user accounts  
very easily compromised.  
  
In some versions of the software I have encountered, the following proof  
of concept will display a corresponding username and password in the  
"core" field and "reputation" field on the page, respectively.  
  
Proof of Concept:  
http://path.to/cms/index.pl?node_id=0/**/UNION/**/SELECT/**/null,101,null,1,null,null,passwd,null,null,nick,null/**/FROM/**/user/**/WHERE/**/nick/**/!%3d/**/''/**/%23  
  
In other, probably more recent versions, a 13-column query is required  
or the UNION. What does not change, is that of all of the various  
versions I've encountered, all are vulnerable to SQL injection.  
  
The ideal fix would be to ensure that the 'node_id' request variable is  
the appropriate data-type (signed int) before passing it as part of a  
SQL query.  
  
Vendor Status:  
A private ticket was created on the vendors Bug Tracker page prior to  
this release. However, I have decided to release this vulnerability  
without a reply from the vendor as the Bug Tracker, and development  
project, seemed to be 'abandonded.'  
`
JSON