exploit the possibilities

Echo Security Advisory 2005.14

Echo Security Advisory 2005.14
Posted Jun 18, 2005
Authored by Echo Security, Dedi Dwianto | Site theday.echo.or.id

Liberum Help Desk versions greater than 0.97.3 suffer from various cross site scripting and SQL injection flaws.

tags | exploit, xss, sql injection
MD5 | b92dee53f638603d3cf3072d7956e72f

Echo Security Advisory 2005.14

Change Mirror Download
    .OR.ID
ECHO_ADV_14$2005

---------------------------------------------------------------------------
Multiple Vulnerabilities in Liberum Help Desk
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: June, 02nd 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv14-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Liberum Help Desk
version: >0.97.3
url : http://www.liberum.org
Author: Liberum
Description:

Liberum Help Desk is the complete help desk solution for small to medium sized businesses and organizations.
This software provides a simple, easy to use web interface for managing and tracking technical support problems.
This Software vulnerable Cross-Site Scripting and SQL Injection in many pages.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross-Site Scripting (XSS)

* File castnewPost.asp

http://[url]/liberum/castnewPost.asp

Hole In Input Form
Problem Script castnewPost.asp

--------------
...
...
strAltEmail = Request.Form("tbxAltEmail")
strTitle = Request.Form("tbxTitle")
strDescription = Request.Form("txtDescription")
strResolution = Request.Form("txtResolution")
...
...
Set objCase = New clsCase
...
.Title = strTitle
.Description = strDescription
.Resolution = strResolution
.AltEMail = strAltEmail
...
--------------
This Script Allow User to Input html Character in newpost.asp page Without Filter.
For Example Input data like :
- Email : <b>dudul@test.com</b>
- Title : <b>test<script>alert('dudul')</script></b>
- Description : <b>test<script>alert('dudul')</script></b>

Etc

* FIle CaseModifyPost.asp
Hole In Input Form
Problem Script castnewPost.asp

--------------
...
...
strAltEmail = Request.Form("tbxAltEmail")
strTitle = Request.Form("tbxTitle")
strDescription = Request.Form("txtDescription")
strResolution = Request.Form("txtResolution")
...
...
Set objCase = New clsCase
...
.Title = strTitle
.Description = strDescription
.Resolution = strResolution
.AltEMail = strAltEmail
...
--------------


B. SQL Injection

Multiple SQL Injection some pages.

- http://[url]/liberum/view.asp?id='[SQL Injection]
- http://[url]/liberum/register.asp?edit='[SQL Injection]
- http://[url]/liberum/print.asp?id='[SQL Injection]


Problem Script
* clsListitem.asp
---------------
...
intPage = CInt(Request.Querystring("Page"))
...
Public Property Get ID() ' As Long
ID = m_ID
End Property

Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
End If
End Property
...
...
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
Set rsList = Server.CreateObject("ADODB.RecordSet")
rsList.Open strQuery, m_cnnDB
...
---------------

* clscategory.asp
---------------
...
intPage = CInt(Request.Querystring("Page"))
...
Public Property Get ID() ' As Long
ID = m_ID
End Property

Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
End If
End Property
...
...
strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
Set rsList = Server.CreateObject("ADODB.RecordSet")
rsList.Open strQuery, m_cnnDB
...
---------------



C. Solution
Using Replace String and make script for validate input form For Filter some character
- castnewPost.asp

* Add This Code After <HEAD>
----- Begin
<SCRIPT LANGUAGE="JavaScript">

function validate() {
var badstring = ('<','>','\'','\"','*','#','=','&','\\',';',':'); // Invalid character is a space

//check form email
if (document.frmNew.AltEmail.value = validate) {
alert('Bad Characters.');
document.frmNew.AltEmail.focus();
return false;
}
//check form Title
if (document.frmNew.AltTitle.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltTitle.focus();
return false;
}
//check form Description
if (document.frmNew.AltDescription.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltDescription.focus();
return false;
}
//check form Resolution
if (document.frmNew.AltResolution.value = badstring) {
alert('Bad Characters.');
document.frmNew.AltResolution.focus();
return false;
}
else {

return true;
}
}
}
</script>
----- EOF

* Add Code For Call that function in tag Form
find :
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew">
replace
<FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew" onsubmit="return validate()">

* Add validate script into all pages for filter XSS

* Filter For SQL Injection
Find :
...
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
...
Replace
...
Public Property Let ID(f_ID)
If IsNumeric(f_ID) Then
m_ID = f_ID
f_ID = Replace("f_ID","'","")
...

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close