FuseTalk SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189877 漏洞类型 SQL注入
发布时间 2007-07-11 更新时间 2007-07-11
CVE编号 CVE-2007-3705 CNNVD-ID CNNVD-200707-192
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/81658
https://cxsecurity.com/issue/WLB-2007070034
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-192
|漏洞详情
FuseTalk2.0版本中存在SQL注入漏洞。远程攻击者可以借助对forum/index.cfm的FTVAR_SUBCAT(txForumID)参数以及其他可能的未明组件,执行任意SQL指令,且这些组件与forum/include/error/forumerror.cfm相关。
|漏洞EXP
Greetings,
I have found sql injection in FuseTalk 2.0 during a legitmate audit.
Resending because I got MIME errors to bugtraq (at) securityfocus (dot) com. [email concealed]  I
have exchanged emails with rkeith (at) securityfocus (dot) com [email concealed] who needed more
information when I originally sent an email to vuldb (at) securityfocus (dot) com [email concealed]

Operating system and software installed.
-Microsoft SQL Server 2000 - 8.00.760 (Intel x86)
-Windows NT 5.0 SP4
-Fusetalk 2.0 Forums

How the vulnerability can be reproduced
-If a session is not prior established a error page disclosure will
reveal an input field where direct SQL queries can be used to disclose
confidential/sensitive information.
-FTVAR_SUBCAT= is the parameter where the injectiion occurs and its
value is sent as txForumID which allows 128 characters with no input
validation.  Direct SQL queries can occur to grab entire database
information.

METHOD is GET
Protocol is HTTP
Port 80
Path may vary but was found on /community/forum/index.cfm
Query is FTVAR_SUBCAT=@@version&nocookies=y&subcatname=

What impact the vulnerability has on the vulnerable system.
-Allows a remote attack to directly query the database and disclose
both sensitve/confidential information.

Any additional details that might help in the verification process
I had javascript off, because a pop-up does try to correct the input,
but through client-side validation.  Mozilla Firefox 2.0.0.4 was used.

The error message when session is not prior established...

--
The seems to have been a problem accessing the forum which you are
trying to view.
There could be several cause to this problem.
1.             You should try passing the forum id of the forum in the
URL (http://www.fusetalk.com/forum/index.cfm?forumid=1)
2.             You are trying to access the forum using an IP
Address(i.e. http://127.0.0.1/forum/index.cfm?forumid=1) or a Machine
Name (i.e. http://MyServer/forum/index.cfm?forumid=1)
3.             You are using FuseTalk using a domain that is not the
correct Forum URL.
To view if this is the error, login to the global administration
module, enter the forum management section, find the forum you are
trying to access and update it. Click on the forum tab and check the
Forum URL setting. Both the URL you are trying to access the forum
with and the URL in the forum management section should be the same.If
you wish to try and find the correct URL of the forum you are trying
to access complete the forum below.

Forum ID:
--

With @@version submitted I got the error below.  I submitted more
details queries with permission from the client and was able to
retreive admin username, tables, columns, etc. not shown.

--
Error Occurred While Processing Request

Error Executing Database Query.
[Macromedia][SQLServer JDBC Driver][SQLServer]Syntax error converting
the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a
column of data type int.

Please try the following:
    * Enable Robust Exception Information to provide greater detail
about the source of errors. In the Administrator, click Debugging &
Logging > Debugging Settings, and select the Robust Exception
Information option.
    * Check the ColdFusion documentation to verify that you are using
the correct syntax.
    * Search the Knowledge Base to find a solution to your problem.
Browser                 Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Remote Address
Referrer       http://www.domainname.com
/community/forum/include/error/forumerror.cfm?errorno=3
Date/Time      15-Jun-07 03:09 PM
--

Charles H. Kim
charleskim.us (at) gmail (dot) com [email concealed]
|受影响的产品
FuseTalk Inc. FuseTalk 2.0 - Standard FuseTalk Inc. FuseTalk 2.0 - Enterprise FuseTalk Inc. FuseTalk 2.0 - Coldfusion FuseTalk Inc. FuseTalk 2.0 - Basic
|参考资料

来源:BUGTRAQ
名称:20070618FusetalkSQLinjectionsubmission.
链接:http://www.securityfocus.com/archive/1/archive/1/471637/100/200/threaded
来源:SREASON
名称:2879
链接:http://securityreason.com/securityalert/2879