Author: Sebastian Bauer
Web: http://blog.gjl-network.net
Date: 01/12/07

Vuln. website: http://www.knorr.de
Vulnerability: SQL Injection (mainly login authentication bypass + any  
other SQL inj.
possibility), XSS
Significance: Very Critical

---------------------------------------------------------

Detailed description:
The site knorr.de is using a MS SQL database server and IIS as web server. The
programming language used is ASP (Active Server Pages).

There is a vulnerability using the login field of the site. Since user  
input will not be
escpaed, it is vulnerable against SQL injection attacks.

The SQL string to authenticate the user can be escaped using single  
quotes. Since the
database server is MS SQL it is possible to easily create a valid SQL  
query and ignore
the rest of the SQL query by adding ;-- which ends the current query  
and defines the rest
as comment.

There are several ways to bypass the authentication:

1.) Provide a SQL query that will be always true.
In this case the system selects the first possible user (which seems  
to be admin but
without any special privilegues, as there is no real CMS behind this).
An attack like this would be:

Username: -1' or 'x'='x
Password: -1' or 'x'='x

This will log you in as the user "holgi" which seems to be the first  
user within the user
table. The -1' will be required to be sure, that the result of this  
query (WHERE username
= '-1') will be false! The first quote is used to escape from the  
condition given to the
SQL database. The next condition 'x'='x will make sure, that the  
condition fits on any
record. We don't provide a closing quote and use the already existing  
one in the original
statement to keep a valid SQL syntax.

2.) Provide a SQL query that will provide a special username as result.
Example:

Username: -1' or username = 'anyUserName';--
Password:

This will result that the query returns the record of the user  
'anyUserName' if it
exists. To tell MS SQL that this is the complete statement we put the  
; and a --
afterwards, to tell it, that the rest of the statement which is inside  
the code will be
handled as comment and thus not to be interpreted. We have to deliver  
at least one
character for the password field, because otherwise the website  
suggests us to create a
new user and does not log us in.

3.) Provide a SQL query that will provide a username which fits a  
special search
condition.
This is just a small modification of the 2nd query, which makes us  
possible to guess
usernames.
Example:

Username: -1' or username LIKE '%anySearchCondition%';--
Password:

This will do a normal SQL LIKE condition. You can vary it as you want.  
You'll get the
first possible result as your login.

4.) It is also possible to manually insert new data into the database, receive
information about the server and get access to a SQL shell. Those will  
not be described
more closely in this document, as all neccessary information required  
for this are not a
miracle for anyone knowing what he is doing.

Cross-Site Scripting (XSS) Vulnerabilities:
Knorr.de is using some kind of a content loader using URL parameter  
which is vulnerable
against XSS attacks. This has not been tested in detail and thus will  
not described in
deep in this document.
Also form data used for the Knorr forum will not be escaped what  
causes the website to
offer complete freedom for using XSS inside the forum. But since this  
is a moderated
forum this issue can be rated as a low security risk, though it could  
be possible to
steal the session cookie of an administrator reading an infected entry  
to confirm or deny
it and hijack the session afterwards.

---------------------------------------------------------

Resumee: This login authentication is highly significant as it is  
possible to login as
every user we want. Knorr.de is not a website, holding strictly  
confidential information,
but you will get access to personal user data.
There may also be a risk to the system itself as it is possible to  
have nearly full
access to the database to delete records, tables or even get access to  
a SQL shell.

All problems found have been discussed with Unilever, the mother  
company of Knorr and
have been fixed before the release of this document.