Re: IRM Security Advisory : RedDot CMS SQL injection vulnerability

[Ureleet <ureleet () gmail com>]

seems like no one is buying into "your day" on may 1.  Quit trying to
make a name for urself on other ppls research.


On 4/21/08, n3td3v <xploitable () gmail com> wrote:
> On Mon, Apr 21, 2008 at 5:06 PM, Mark Crowther <mark.crowther () irmplc com>
> wrote:
> > RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)
> >
> >
> >
> > http://www.irmplc.com/index.php/167-Advisory-026
> >
> >
> >
> >
> >
> > Vulnerability Type/Importance: SQL injection/Critical
> >
> >
> >
> > Problem Discovered:     12 February 2008
> >
> > Vendor Contacted:       19 February 2008
> >
> > Advisory Published:     21 April 2008
> >
> >
> >
> >
> >
> > Abstract:
> >
> > The RedDot CMS Product (http://www.reddot.com) is vulnerable to a
> > pre-authentication SQL injection vulnerability which, when exploited,
> allows
> > enumeration of all SQL database content.
> >
> >
> >
> > Description:
> >
> > The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the
> > language context for the CMS application. The vulnerability exists as a
> > result of inadequate validation of user-supplied input within this
> > parameter.
> >
> >
> >
> >
> >
> > Technical Details:
> >
> > Normal input for the 'LngId' parameter contains a code such as ENG, DEU,
> JP,
> > denoting the language type. This parameter is not properly validated and
> the
> > injection of SQL statements within it allows attackers unrestricted access
> > to enumerate information from the database. For example:
> https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0
> > FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where
> xtype=char(85)
> > and name> '' ORDER BY 1;-- &DisableAutoLogin=1
> >
> >
> >
> > Proof of Concept:
> >
> > A Proof of Concept (RDdbenum.py) has been developed to automate
> enumeration
> > of entire database content available from
> > http://www.irmplc.com/Tools/RDdbenum.py
> >
> >
> >
> >
> >
> > Workaround / Solutions:
> >
> > There are no known workarounds for this vulnerability
> >
> > The Vendor has released a patch for this vulnerability, Release 7.5.1.86,
> > available from normal Red Dot customer support contacts.
> >
> >
> >
> >
> >
> > Tested / Affected Versions:
> >
> > IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5
> > Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.
> >
> > It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0;
> > however this has not been fully verified.
> >
> >
> >
> >
> >
> > Credits:
> >
> > Research and Advisory: Mark Crowther and Rodrigo Marcos
>
> Can we keep these for Web Application Security Awareness Day? It'll
> have a bigger impact on Web Application Security than releasing them
> in dribs and drabs.
>
> If you care about about Web Application Security, you'll be doing more
> good waiting off till the end of the month.
>
> We need to talk in one voice on May 1st... you'll be heard louder and
> probably people will take more notice of your vulnerability than
> usual.
>
> I'm going to be compiling a big list of every vulnerability released
> on May 1st, its going to be awesome.
>
> The security industry will have no choice but to listen to the
> security community!!! Its full of epic win.
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html
>
> Regards,
>
> n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/