faname10-sql.txt

2008-07-01T00:00:00
ID PACKETSTORM:67807
Type packetstorm
Reporter Jesper Jurcenoks
Modified 2008-07-01T00:00:00

Description

                                        
                                            `netVigilance Security Advisory #42  
  
Fa Name version 1.0 SQL Injection Vulnerability  
  
Description:  
Fa Name   
(http://webscripts.softpedia.com/script/Content-Management/Fa-Name-41229.html)   
is useful portal (CMS) for .name websites. You can have a simple portal   
but useful one for you domain names and by useing this portal you can   
show your complete information like photo, identification , projects and   
history to the others.  
Successful exploitation requires PHP magic_quotes_gpc set to Off on the   
server. (default is magic_quotes_gpc = On)  
External References:  
Mitre CVE: CVE-2007-3652  
NVD NIST: CVE-2007-3652  
  
Summary:  
Fa Name is useful portal (CMS) for .name websites.  
A security problem in the product allows attackers to commit SQL injection.  
  
Advisory URL:  
http://www.netvigilance.com/advisory0042  
  
Release Date: June 30th 2008  
  
CVSS Version 2 Metrics:  
  
Base Metrics:  
Exploitability Metrics:  
Access Vector: Network  
Access Complexity: Medium  
Authentication: None  
Impact Metrics:  
Confidentiality Impact: Partial  
Integrity Impact: Partial  
Availability Impact: Partial  
Temporal Metrics:  
Exploitability: Functional  
Remediation Level: Workaround  
Report Confidence: Uncorroborated  
  
CVSS Version 2 Vectors:  
  
Base Vector: “AV:N/AC:M/Au:N/C:P/I:P/A:P”  
Temporal Vector: “E:F/RL:W/RC:UR”  
  
CVSS Version 2 Scores:  
  
Base Score: 6.8  
Impact Subscore: 6.4  
Exploitability Subscore: 6.8  
Temporal Score: 5.8  
SecureScout Testcase ID: TC 17972  
  
Vulnerable Systems:  
Fa Name version 1.0  
  
Vulnerability Type:  
SQL injection allows malicious people to execute their own SQL scripts.   
This could be exploited to obtain sensitive data, modify database   
contents or acquire administrator’s privileges.  
  
Vendor:  
FaScript  
  
Vendor Status:  
The Vendor has been notified on July 7th 2007, but did not respond.  
  
Workaround:  
In the php.ini file set magic_quotes_gpc = On.  
Example:  
REQUEST:  
http://[TARGET]/[FANAME-DIRECTORY]/class/page.php?id=-1' UNION SELECT   
1,1,1,`name` FROM `portal`%23  
REPLY:  
...<div align=right><span class=sub>[SQL INJECTION RESULT]</span></div>...  
Credits:  
Jesper Jurcenoks  
Co-founder netVigilance, Inc  
www.netvigilance.com  
  
`