Re: IRM Security Advisory : RedDot CMS SQL injection vulnerability

[reepex <reepex () gmail com>]

so IRMPLC goes from xss in cisco products to sql injection in a small user
base webapp?

I think you may need to fire your current 'research' team and start over

On Mon, Apr 21, 2008 at 11:06 AM, Mark Crowther <mark.crowther () irmplc com>
wrote:

>  RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)
>
>
>
> http://www.irmplc.com/index.php/167-Advisory-026
>
>
>
>
>
> Vulnerability Type/Importance: SQL injection/Critical
>
>
>
> Problem Discovered:     12 February 2008
>
> Vendor Contacted:       19 February 2008
>
> Advisory Published:     21 April 2008
>
>
>
>
>
> Abstract:
>
> The RedDot CMS Product (http://www.reddot.com) is vulnerable to a
> pre-authentication SQL injection vulnerability which, when exploited, allows
> enumeration of all SQL database content.
>
>
>
> Description:
>
> The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the
> language context for the CMS application. The vulnerability exists as a
> result of inadequate validation of user-supplied input within this
> parameter.
>
>
>
>
>
> Technical Details:
>
> Normal input for the 'LngId' parameter contains a code such as ENG, DEU,
> JP, denoting the language type. This parameter is not properly validated and
> the injection of SQL statements within it allows attackers unrestricted
> access to enumerate information from the database. For example:
>
>
>
>
> https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0FROM IO_DGC_ENG UNION SELECT min(name) 
> FROM SYSOBJECTS where xtype=char(85)
> and name> '' ORDER BY 1;-- &DisableAutoLogin=1
>
>
>
> Proof of Concept:
>
> A Proof of Concept (RDdbenum.py) has been developed to automate
> enumeration of entire database content available from
> http://www.irmplc.com/Tools/RDdbenum.py
>
>
>
>
>
> Workaround / Solutions:
>
> There are no known workarounds for this vulnerability
>
> The Vendor has released a patch for this vulnerability, Release 7.5.1.86,
> available from normal Red Dot customer support contacts.
>
>
>
>
>
> Tested / Affected Versions:
>
> IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5
> Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.
>
> It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0;
> however this has not been fully verified.
>
>
>
>
>
> Credits:
>
> Research and Advisory: Mark Crowther and Rodrigo Marcos
>
>
>
>
>
> Disclaimer:
>
> All information in this advisory is provided on an 'as is' basis in the
> hope that it will be useful. Information Risk Management Plc is not
> responsible for any risks or occurrences caused by the application of this
> information.
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/