[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] IRM Security Advisory : RedDot CMS SQL injection vulnerability

so IRMPLC goes from xss in cisco products to sql injection in a small user
base webapp?

I think you may need to fire your current 'research' team and start over

On Mon, Apr 21, 2008 at 11:06 AM, Mark Crowther <mark.crowther@xxxxxxxxxx>

>  RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)
> http://www.irmplc.com/index.php/167-Advisory-026
> Vulnerability Type/Importance: SQL injection/Critical
> Problem Discovered:     12 February 2008
> Vendor Contacted:       19 February 2008
> Advisory Published:     21 April 2008
> Abstract:
> The RedDot CMS Product (http://www.reddot.com) is vulnerable to a
> pre-authentication SQL injection vulnerability which, when exploited, allows
> enumeration of all SQL database content.
> Description:
> The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the
> language context for the CMS application. The vulnerability exists as a
> result of inadequate validation of user-supplied input within this
> parameter.
> Technical Details:
> Normal input for the 'LngId' parameter contains a code such as ENG, DEU,
> JP, denoting the language type. This parameter is not properly validated and
> the injection of SQL statements within it allows attackers unrestricted
> access to enumerate information from the database. For example:
> https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0FROM
>  IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85)
> and name> '' ORDER BY 1;-- &DisableAutoLogin=1
> Proof of Concept:
> A Proof of Concept (RDdbenum.py) has been developed to automate
> enumeration of entire database content available from
> http://www.irmplc.com/Tools/RDdbenum.py
> Workaround / Solutions:
> There are no known workarounds for this vulnerability
> The Vendor has released a patch for this vulnerability, Release,
> available from normal Red Dot customer support contacts.
> Tested / Affected Versions:
> IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5
> Build, tested with Microsoft SQL Server 2005 database.
> It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0;
> however this has not been fully verified.
> Credits:
> Research and Advisory: Mark Crowther and Rodrigo Marcos
> Disclaimer:
> All information in this advisory is provided on an 'as is' basis in the
> hope that it will be useful. Information Risk Management Plc is not
> responsible for any risks or occurrences caused by the application of this
> information.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/