Bugtraq mailing list archives
RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification
From: Nick Lothian <nl () essential com au>
Date: Fri, 14 Jun 2002 09:53:52 +0930
I am unfamiliar with <Body>Builder (and their site is in Russian so I can't find a link), but in normal java web development pages named *_jsp.java are generated java code from .jsp files. The name of the *_jsp.java files is non-standard and varies between servlet engine implementations. The behaviour of the servlet engine when these files are modified is also non-standard (Some will recompile the file to pickup the changes, but others - eg Tomcat 3.2 - will not). The recommended fix should be implemented in the .jsp files (if available - they are sometimes shipped inside a .war file), not the .java files. Of course, if the *.jsp files are unavailable then this may the best possible work-around. Regards, Nick Lothian
-----Original Message----- From: Alexander Korchagin [mailto:akor () tsaritsyno ru] Sent: Friday, 14 June 2002 1:17 AM To: bugtraq () securityfocus com Subject: [LBYTE] Ruslan Communications <BODY>Builder SQL modification Original reference: http://www.security.nnov.ru/search/news.asp?binid=2092 Title: <BODY>Builder SQL modification Author: mam0nt of Limpid Byte http://lbyte.void.ru/ Vendor: Ruslan Communications Vendor URL: http://ruslan-com.ru/ Vendor Status: Contacted, not replied Released: June, 13 2002 Background: <Body>Builder is a site building engine by Ruslan Communications written in Java. It has administrative access via http://site/Admin. All accounts are stored in database and accessed via SQL. Problem: Leak of input validation from server side allows user to modify SQL request during authentication. It may be used to access administrative interface without password or to run any SQL request on backend. Exploitation: Use login='-- and pass='-- Solution: Edit _login__jsp.java: -- cut -- java.lang.String _jspParam; _jspParam = request.getParameter("username"); if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) ) Log.setUsername(_jspParam); _jspParam = request.getParameter("password"); if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) ) Log.setPassword(_jspParam); --cut-- Add new function called _checkvalue public static boolean _checkvalue(java.lang.String _value) { int count; char temp; for (count=0;count<_value.length();count++) { temp=_value.charAt(count); if (temp=='\'' ) return false; } return true; } Vendor: Vendor notified via e-mail without feedback.
Current thread:
- [LBYTE] Ruslan Communications <BODY>Builder SQL modification Alexander Korchagin (Jun 13)
- <Possible follow-ups>
- RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification Nick Lothian (Jun 14)