Date: 21 Jul 2004 17:44:22 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NT] HelpBox Multiple SQL Injection Vulnerabilties
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HelpBox Multiple SQL Injection Vulnerabilties
------------------------------------------------------------------------
SUMMARY
The <http://www.laytontechnology.com/>; HelpBox product comes in two
flavors, HelpBox Standard (which uses an internal Jet Database) and
HelpBox SQL (which uses Microsoft's SQL server). Most of the ASP pages
that the product uses correctly remove dangerous characters from user
provided input. However, some pages seem to not include such a protection
mechanism. This allows a remote attacker with access to the server to
cause it to execute arbitrary SQL statements (via SQL Injection
vulnerabilities).
DETAILS
Vulnerable Systems:
* HelpBox version 3.0.1
These SQL injection vulnerabilities is worsen by the fact that some ASP
pages do not require the user to be authenticated to run their vulnerable
SQL code, allowing an unauthenticated user to gain access the HelpBox
product (by creating a new user for himself using a specially crafted URL
that includes SQL code).
The following is a partial list of the ASPs we have found to be
vulnerable:
* editcommentenduser.asp - parameter: sys_comment_id [script doesn't
require authentication]
* editsuspensionuser.asp - parameter: sys_suspend_id [script doesn't
require authentication]
* export_data.asp - parameter: table [requires administrative privileges
to HelpBox, but allows exporting of any table in the SQL server]
* manageanalgrouppreference.asp - parameter: sys_analgroup [requires
administrative privileges to HelpBox]
* quickinfoassetrequests.asp - parameter: sys_asset_id [script doesn't
require authentication]
* quickinfoenduserrequests.asp - parameter: sys_eusername [script doesn't
require authentication]
* requestauditlog.asp - parameter: sys_request_id [script doesn't require
authentication]
* requestcommentsenduser.asp - parameter: sys_request_id [script doesn't
require authentication]
* selectrequestapplytemplate.asp - parameter: sys_request_id [requires
administrative privileges to HelpBox]
* selectrequestlink.asp - parameter: sys_request_id [requires
administrative privileges to HelpBox]
Those scripts that do not require authentication also allow a remote
attacker to retrieve sensitive information from the server (apart from the
SQL injection vulnerability).
Example:
By issuing the following URL on a HelpBox SQL edition server a SQL server
error the SQL injection vulnerability can be witnessed:
http://vulnerablesite/laytonhelpdesk/editcommentenduser.asp?sys_comment_id=1'
Vendor Response:
We have tried contacting the vendor numerous times since 15 April 2004, we
have received automated response, promises to contact us, but nothing
regarding the above vulnerabilities.
Testing Methodology:
A few months ago Beyond Security built a new module for its Automated
Scanning Vulnerability Assessment engine to test web sites and web
applications for security vulnerabilities. This module adds the capability
to dynamically crawl through a web site and find vulnerabilities in its
dynamic pages.
This type of tool was considered to be different from the network VA
tools, but we at Beyond Security believe that these two types of tools
should be merged into one, and this is what made us incorporate the Web
Site Security Audit module to our Automated Scanning engine.
For a press release on this integration see:
<http://www.beyondsecurity.com/press/2004/press10030402.htm>;
http://www.beyondsecurity.com/press/2004/press10030402.htm
White paper on the first integrated network and web application
vulnerability scanner: <http://www.beyondsecurity.com/webscan-wp.pdf>;
http://www.beyondsecurity.com/webscan-wp.pdf
Our Automated Scanning engine equipped with the Web Site Security Audit
module did all the tests described in this advisory automatically.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Noam
Rathaus.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
