[LBYTE] Ruslan Communications <BODY>Builder SQL modification

2002-06-13T00:00:00
ID SECURITYVULNS:DOC:3081
Type securityvulns
Reporter Securityvulns
Modified 2002-06-13T00:00:00

Description

Title: <BODY>Builder SQL modification Author: mam0nt of Limpid Byte http://lbyte.void.ru/ Vendor: Ruslan Communications Vendor URL: http://ruslan-com.ru/ Vendor Status: Contacted, not replied Released: June, 13 2002

Background:

<Body>Builder is a site building engine by Ruslan Communications writen in Java. It has administrative access via http://site/Admin. All accounts are stored in database and accessed via SQL.

Problem:

Leak of input validation from server side allows user to modify SQL request during authentication. It may be used to access administrative interface without password or to run any SQL request on backend.

Exploitation:

Use login='-- and pass='--

Solution:

Edit _login__jsp.java:

      -- cut --
      java.lang.String _jspParam;
      _jspParam = request.getParameter&#40;&quot;username&quot;&#41;;
      if &#40;_jspParam != null &amp;&amp; ! _jspParam.equals&#40;&quot;&quot;&#41; &amp;&amp; _checkvalue&#40;_jspParam&#41; &#41;
       Log.setUsername&#40;_jspParam&#41;;
      _jspParam = request.getParameter&#40;&quot;password&quot;&#41;;
      if &#40;_jspParam != null &amp;&amp; ! _jspParam.equals&#40;&quot;&quot;&#41; &amp;&amp; _checkvalue&#40;_jspParam&#41; &#41;
       Log.setPassword&#40;_jspParam&#41;;
      --cut--

Add new function called _checkvalue

      public static boolean _checkvalue&#40;java.lang.String _value&#41;
      {
       int count;
       char temp;
       for &#40;count=0;count&lt;_value.length&#40;&#41;;count++&#41;
       {
        temp=_value.charAt&#40;count&#41;;
        if &#40;temp==&#39;&#92;&#39;&#39; &#41; return false;
       }
        return true;
      }

Vendor:

Vendor notified via e-mail without feedback.