Re: Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability

[Ferenc Kovacs <tyra3l () gmail com>]

"2011-00-00:     Vendor Fix/Patch"

On Thu, Sep 29, 2011 at 11:34 AM, research () vulnerability-lab com
<research () vulnerability-lab com> wrote:
> Title:
> ======
> Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability
>
>
> Date:
> =====
> 2011-09-29
>
>
> References:
> ===========
> http://www.vulnerability-lab.com/get_content.php?id=272
>
>
> VL-ID:
> =====
> 272
>
>
> Introduction:
> =============
> The application is currently included and viewable by all facebook users.
> The service is an external 3rd party application sponsored by the ScottsdaleInventory.
>
> (Copy of the Vendor Homepage: http://apps.facebook.com/scottsdaleinventory/share.php)
>
> Facebook is a social networking service and website launched in February 2004, operated and privately owned
> by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users. Users may create
> a personal profile, add other users as friends, and exchange messages, including automatic notifications when
> they update their profile. Facebook users must register before using the site. Additionally, users may join
> common-interest user groups, organized by workplace, school or college, or other characteristics.
>
> (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook)
>
>
> Abstract:
> =========
> Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on the 3rd party web application - North 
> Scottsdale Inventory (apps.facebook.com).
>
>
> Report-Timeline:
> ================
> 2011-09-17:     Vendor Notification
> 2011-09-18:     Vendor Response/Feedback
> 2011-00-00:     Vendor Fix/Patch
> 2011-09-29:     Public or Non-Public Disclosure
>
>
> Status:
> ========
> Published
>
>
> Affected Products:
> ==================
> North Scottsdale Inventory (Facebook Application) - 2011/Q3
>
>
> Exploitation-Technique:
> =======================
> Remote
>
>
> Severity:
> =========
> High
>
>
> Details:
> ========
> A SQL Injection vulnerability is detected on the North Scottsdale Inventory facebook application (apps.facebook).
> The vulnerability allows  an attacker (remote) to inject/execute own sql statements on the affected fb application 
> dbms.
>
> Vulnerable Module(s):
>                                                   [+] North Scottsdale Inventory - Facebook 3rd Party Application
>
> Vulnerable Param(s):
>                                                   [+] ?fbid= &carid=
>
> Affected Application:
>                                                   [+] http://apps.facebook.com/scottsdaleinventory/
>
>
> --- SQL Error Logs ---
> Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your
> MySQL server version for the right syntax to use near -1` *view* at line 1
> ---
>
> Picture(s):
>                                                ../1.png
>
>
> Proof of Concept:
> =================
> The vulnerability can be exploited be remote attackers. For demonstration or reproduce ...
>
> URL:    apps.facebook.com/scottsdaleinventory/
> Path:   /scottsdaleinventory/
> File:   share.php
> Param:  ?fbid=  &carid=
>
>
> Example:
> http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?fid=[x]&carid=[x]
>
>
> PoC:
> http://apps.facebook.com/scottsdaleinventory/share.php?fbid=-1%27&carid=-1%27
>
>
> Solution:
> =========
> Use the prepared statement class to fix the sql injection vulnerability & filter sql error requests.
> Set error(0) to prevent against information disclosure via exceptions or error reports.
>
>
> Risk:
> =====
> The security risk of the application sql injection vulnerability is estimated as high.
>
>
> Credits:
> ========
> Vulnerability Research Laboratory -  N/A Anonymous
>
>
> Disclaimer:
> ===========
> The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all 
> warranties,
> either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
> Vulnerability-
> Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
> of business
> profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
> damages. Some
> states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
> limitation
> may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization 
> from Vulnerability-
> Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, 
> including the use of
> other media, are reserved by Vulnerability-Lab or its suppliers.
>
>                                                Copyright © 2011|Vulnerability-Lab
>
>
>
>
> --
> Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
> Contact: admin () vulnerability-lab com or support () vulnerability-lab com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/