Bugtraq mailing list archives

RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification

From: Nick Lothian <nl () essential com au>
Date: Fri, 14 Jun 2002 09:53:52 +0930

I am unfamiliar with <Body>Builder (and their site is in Russian so I can't
find a link), but in normal java web development pages named *_jsp.java are
generated java code from .jsp files. 

The name of the *_jsp.java files is non-standard and varies between servlet
engine implementations. The behaviour of the servlet engine when these files
are modified is also non-standard (Some will recompile the file to pickup
the changes, but others - eg Tomcat 3.2 - will not). 

The recommended fix should be implemented in the .jsp files (if available -
they are sometimes shipped inside a .war file), not the .java files. Of
course, if the *.jsp files are unavailable then this may the best possible
work-around.

Regards,
  Nick Lothian

-----Original Message-----
From: Alexander Korchagin [mailto:akor () tsaritsyno ru]
Sent: Friday, 14 June 2002 1:17 AM
To: bugtraq () securityfocus com
Subject: [LBYTE] Ruslan Communications <BODY>Builder SQL modification



Original reference: 
http://www.security.nnov.ru/search/news.asp?binid=2092

Title:          <BODY>Builder SQL modification
Author:         mam0nt of Limpid Byte http://lbyte.void.ru/
Vendor:         Ruslan Communications
Vendor URL:     http://ruslan-com.ru/
Vendor Status:  Contacted, not replied
Released:       June, 13 2002

Background:

 <Body>Builder  is  a  site  building  engine  by  Ruslan 
Communications
 written  in  Java.  It has administrative access via 
http://site/Admin.
 All accounts are stored in database and accessed via SQL.

Problem:

 Leak  of  input  validation  from server side allows user to 
modify SQL
 request  during authentication. It may be used to access 
administrative
 interface without password or to run any SQL request on backend.

Exploitation:

 Use login='-- and pass='--

Solution:

 Edit _login__jsp.java:

          -- cut --
          java.lang.String _jspParam;
          _jspParam = request.getParameter("username");
          if (_jspParam != null && ! _jspParam.equals("") && 
_checkvalue(_jspParam) )
           Log.setUsername(_jspParam);
          _jspParam = request.getParameter("password");
          if (_jspParam != null && ! _jspParam.equals("") && 
_checkvalue(_jspParam) )
           Log.setPassword(_jspParam);
          --cut--

 Add new function called _checkvalue

          public static boolean _checkvalue(java.lang.String _value)
          {
           int count;
           char temp;
           for (count=0;count<_value.length();count++)
           {
            temp=_value.charAt(count);
            if (temp=='\'' ) return false;
           }
            return true;
          }
                
Vendor:

 Vendor notified via e-mail without feedback.

Current thread:

[LBYTE] Ruslan Communications <BODY>Builder SQL modification Alexander Korchagin (Jun 13)
- <Possible follow-ups>
- RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification Nick Lothian (Jun 14)