Vulnerability Development mailing list archives
eeye.com insecurities
From: "david evlis reign" <davidreign () hotmail com>
Date: Mon, 18 Feb 2002 07:36:21 +0000
food for thought:who can you trust when the people who are *supposed* to be protecting you cant even secure their own site?
the details:eeye.com is run on the (in)famous webserver IIS, and eeye is purely a micrsoft orientated site.
the problem lies in its forums, some misplaced ' lead to an information leak and possibly an sql injection problem.
as follows: http://www.eeye.com/~apps/modules/Forum/threads.asp?cat=t.0326.192953.399014&filter='90 Microsoft VBScript runtime error '800a000d' Type mismatch: 'CLng' /~apps/modules/Forum/threads.asp, line 13ohk we have sourced this out, next we find that a string of say hmm 30 chars, all integers crashes the app.
http://www.eeye.com/~apps/modules/Forum/threads.asp? cat=t.0326.192953.399014&filter=90909090909090909090909090909909090 Microsoft VBScript runtime error '800a0006' Overflow: 'CLng' /~apps/modules/Forum/threads.asp, line 13 one looks at this and *immediately* says "integer overflow" interesting.we can see there is some sql calls there somewhere so therfore possible cmd execution.
also, one has to ask the question: are the blind leading the blind?a small information leak could be *vital* in finding webroots etc...might have been handy to those crazy defacers in the day.
thanks and goodnight. davidr _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Current thread:
- eeye.com insecurities david evlis reign (Feb 18)
- <Possible follow-ups>
- RE: eeye.com insecurities Marc Maiffret (Feb 18)
- Message not available
- RE: eeye.com insecurities M. Burnett (Feb 18)
- Message not available