Multiple SQL Injection Vulnerabilities in Dreamweaver Generated Code INFORMATION: ------------------------- Class: SQL Injection CVE: CVE-2006-2042 Remote: Yes Local: Yes Published: May 09, 2006 Credit: Brian Gallagher Vulnerable: Dreamweaver Ultradev Dreamweaver MX Dreamweaver MX 2004 Dreamweaver 8 (fixed in version 8.0.2) DISCUSSION ------------------------- There are multiple SQL Injection vulnerabilities in the code generated by Adobe's Macromedia Dreamweaver prior to versino 8.0.2. This vulnerability affects the ColdFusion, PHP mySQL, ASP, ASP.NET and JSP server models. If the database server is configured to allow local system commands to be executed via database calls, this vulnerability may also allow local code execution. Dreamweaver offers powerful rapid-application design (RAD) tools for quickly and easily creating Internet and Intranet applications for a variety of server models (databases and languages). The code generated automatically by these functions does not properly validate input and are vulnerable to SQL Injection attacks from remote users. Macromedia (now Adobe) was notified of the problem in October 2005. They have been working cooperatively to remedy this problem, including examining and updating all their server models. If all vendors were this cooperative and responsive, the digital world would be a safer and better place. Adobe today released the updated version of Dreamweaver 8.0.2 (free download) along with instructions on how to workaround the problem in code developed in earlier versions of Dreamweaver. The Adobe announcement can be found here: http://www.adobe.com/support/security/bulletins/apsb06-07.html EXPLOIT ------------------------- This vulnerability can be exploited by standard SQL injection techniques. The documentation supplied by Adobe in their release details where the vulnerabilities exist and how to correct them. If a web server's database allows access to the system commands through SQL queries local command execution is possible. SOLUTION ------------------------- Dreamweaver 8: Install the free updater to version 8.0.2 and recreate your server components to use the new more secure code. Dreamweaver MX 2004: Follow the directions for your server model on how to secure your existing code. Dreamweaver MX, Ultradev: Read the directions for the MX 2004 fixes and adapt these to your code. REFERENCES ------------------------- Macromedia Security Bulletin: Dreamweaver Server Behavior SQL Injection vulnerability http://www.adobe.com/support/security/bulletins/apsb06-07.html Dreamweaver Support Center: Updaters http://www.adobe.com/support/dreamweaver/downloads_updaters.html Protecting ColdFusion server behaviors from SQL injection vulnerability http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=300b670e Protecting PHP server behaviors from SQL injection vulnerability http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=30037473 Protecting ASP VBScript server behaviors from SQL injection vulnerability http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=57ae79b2 Protecting ASP JavaScript server behaviors from SQL injection vulnerability http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=581a553c Protecting JSP server behaviors from SQL injection vulnerability http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=585ac720 -- Brian Gallagher - DiamondSea.com - brian@diamondsea.com We Make E-Commerce Easy - No Technical Experience Required Consulting - E-Commerce - Web Site Design - Custom Programming http://www.DiamondSea.com - Toll-Free: 800-604-1476 - Fax: 888-411-8144