[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability
- To: "research@xxxxxxxxxxxxxxxxxxxxx" <research@xxxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability
- From: Ferenc Kovacs <tyra3l@xxxxxxxxx>
- Date: Thu, 29 Sep 2011 11:50:41 +0200
"2011-00-00: Vendor Fix/Patch"
On Thu, Sep 29, 2011 at 11:34 AM, research@xxxxxxxxxxxxxxxxxxxxx
<research@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Title:
> ======
> Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability
>
>
> Date:
> =====
> 2011-09-29
>
>
> References:
> ===========
> http://www.vulnerability-lab.com/get_content.php?id=272
>
>
> VL-ID:
> =====
> 272
>
>
> Introduction:
> =============
> The application is currently included and viewable by all facebook users.
> The service is an external 3rd party application sponsored by the
> ScottsdaleInventory.
>
> (Copy of the Vendor Homepage:
> http://apps.facebook.com/scottsdaleinventory/share.php)
>
> Facebook is a social networking service and website launched in February
> 2004, operated and privately owned
> by Facebook, Inc. As of July 2011, Facebook has more than 750 million active
> users. Users may create
> a personal profile, add other users as friends, and exchange messages,
> including automatic notifications when
> they update their profile. Facebook users must register before using the
> site. Additionally, users may join
> common-interest user groups, organized by workplace, school or college, or
> other characteristics.
>
> (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook)
>
>
> Abstract:
> =========
> Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability
> on the 3rd party web application - North Scottsdale Inventory
> (apps.facebook.com).
>
>
> Report-Timeline:
> ================
> 2011-09-17: Vendor Notification
> 2011-09-18: Vendor Response/Feedback
> 2011-00-00: Vendor Fix/Patch
> 2011-09-29: Public or Non-Public Disclosure
>
>
> Status:
> ========
> Published
>
>
> Affected Products:
> ==================
> North Scottsdale Inventory (Facebook Application) - 2011/Q3
>
>
> Exploitation-Technique:
> =======================
> Remote
>
>
> Severity:
> =========
> High
>
>
> Details:
> ========
> A SQL Injection vulnerability is detected on the North Scottsdale Inventory
> facebook application (apps.facebook).
> The vulnerability allows an attacker (remote) to inject/execute own sql
> statements on the affected fb application dbms.
>
> Vulnerable Module(s):
> [+] North Scottsdale
> Inventory - Facebook 3rd Party Application
>
> Vulnerable Param(s):
> [+] ?fbid= &carid=
>
> Affected Application:
> [+]
> http://apps.facebook.com/scottsdaleinventory/
>
>
> --- SQL Error Logs ---
> Invalid query: You have an error in your SQL syntax; check the manual that
> corresponds to your
> MySQL server version for the right syntax to use near -1` *view* at line 1
> ---
>
> Picture(s):
> ../1.png
>
>
> Proof of Concept:
> =================
> The vulnerability can be exploited be remote attackers. For demonstration or
> reproduce ...
>
> URL: apps.facebook.com/scottsdaleinventory/
> Path: /scottsdaleinventory/
> File: share.php
> Param: ?fbid= &carid=
>
>
> Example:
> http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?fid=[x]&carid=[x]
>
>
> PoC:
> http://apps.facebook.com/scottsdaleinventory/share.php?fbid=-1%27&carid=-1%27
>
>
> Solution:
> =========
> Use the prepared statement class to fix the sql injection vulnerability &
> filter sql error requests.
> Set error(0) to prevent against information disclosure via exceptions or
> error reports.
>
>
> Risk:
> =====
> The security risk of the application sql injection vulnerability is estimated
> as high.
>
>
> Credits:
> ========
> Vulnerability Research Laboratory - N/A Anonymous
>
>
> Disclaimer:
> ===========
> The information provided in this advisory is provided as it is without any
> warranty. Vulnerability-Lab disclaims all warranties,
> either expressed or implied, including the warranties of merchantability and
> capability for a particular purpose. Vulnerability-
> Lab or its suppliers are not liable in any case of damage, including direct,
> indirect, incidental, consequential loss of business
> profits or special damages, even if Vulnerability-Lab or its suppliers have
> been advised of the possibility of such damages. Some
> states do not allow the exclusion or limitation of liability for
> consequential or incidental damages so the foregoing limitation
> may not apply. Any modified copy or reproduction, including partially usages,
> of this file requires authorization from Vulnerability-
> Lab. Permission to electronically redistribute this alert in its unmodified
> form is granted. All other rights, including the use of
> other media, are reserved by Vulnerability-Lab or its suppliers.
>
> Copyright ©
> 2011|Vulnerability-Lab
>
>
>
>
> --
> Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
> Contact: admin@xxxxxxxxxxxxxxxxxxxxx or support@xxxxxxxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/