*HelpBox Multiple SQL Injection Vulnerabilties*

 *Summary*
The HelpBox <http://www.laytontechnology.com/> product comes in two
flavors, HelpBox Standard (which uses an internal Jet Database) and
HelpBox SQL (which uses Microsoft's SQL server). Most of the ASP pages
that the product uses correctly remove dangerous characters from user
provided input. However, some pages seem to not include such a
protection mechanism. This allows a remote attacker with access to the
server to cause it to execute arbitrary SQL statements (via SQL
Injection vulnerabilities).

 *Details*
*Vulnerable Systems:*
 * HelpBox version 3.0.1

These SQL injection vulnerabilities is worsen by the fact that some ASP
pages do not require the user to be authenticated to run their
vulnerable SQL code, allowing an unauthenticated user to gain access the
HelpBox product (by creating a new user for himself using a specially
crafted URL that includes SQL code).

The following is a partial list of the ASPs we have found to be vulnerable:
 * editcommentenduser.asp - parameter: sys_comment_id [script doesn't
require authentication]
 * editsuspensionuser.asp - parameter: sys_suspend_id [script doesn't
require authentication]
 * export_data.asp - parameter: table [requires administrative
privileges to HelpBox, but allows exporting of any table in the SQL server]
 * manageanalgrouppreference.asp - parameter: sys_analgroup [requires
administrative privileges to HelpBox]
 * quickinfoassetrequests.asp - parameter: sys_asset_id [script doesn't
require authentication]
 * quickinfoenduserrequests.asp - parameter: sys_eusername [script
doesn't require authentication]
 * requestauditlog.asp - parameter: sys_request_id [script doesn't
require authentication]
 * requestcommentsenduser.asp - parameter: sys_request_id [script
doesn't require authentication]
 * selectrequestapplytemplate.asp - parameter: sys_request_id [requires
administrative privileges to HelpBox]
 * selectrequestlink.asp - parameter: sys_request_id [requires
administrative privileges to HelpBox]

Those scripts that do not require authentication also allow a remote
attacker to retrieve sensitive information from the server (apart from
the SQL injection vulnerability).

*Example:*
By issuing the following URL on a HelpBox SQL edition server a SQL
server error the SQL injection vulnerability can be witnessed:
http://vulnerablesite/laytonhelpdesk/editcommentenduser.asp?sys_comment_id=1'

*Vendor Response:*
We have tried contacting the vendor numerous times since 15 April 2004,
we have received automated response, promises to contact us, but nothing
regarding the above vulnerabilities.

*Testing Methodology:*
A few months ago Beyond Security built a new module for its Automated
Scanning Vulnerability Assessment engine to test web sites and web
applications for security vulnerabilities. This module adds the
capability to dynamically crawl through a web site and find
vulnerabilities in its dynamic pages.

This type of tool was considered to be different from the network VA
tools, but we at Beyond Security believe that these two types of tools
should be merged into one, and this is what made us incorporate the Web
Site Security Audit module to our Automated Scanning engine.

For a press release on this integration see:
http://www.beyondsecurity.com/press/2004/press10030402.htm
White paper on the first integrated network and web application
vulnerability scanner: http://www.beyondsecurity.com/webscan-wp.pdf

Our Automated Scanning engine equipped with the Web Site Security Audit
module did all the tests described in this advisory automatically.

 *Additional information*
The information has been provided by Noam Rathaus