*HelpBox Multiple SQL Injection Vulnerabilties* *Summary* The HelpBox product comes in two flavors, HelpBox Standard (which uses an internal Jet Database) and HelpBox SQL (which uses Microsoft's SQL server). Most of the ASP pages that the product uses correctly remove dangerous characters from user provided input. However, some pages seem to not include such a protection mechanism. This allows a remote attacker with access to the server to cause it to execute arbitrary SQL statements (via SQL Injection vulnerabilities). *Details* *Vulnerable Systems:* * HelpBox version 3.0.1 These SQL injection vulnerabilities is worsen by the fact that some ASP pages do not require the user to be authenticated to run their vulnerable SQL code, allowing an unauthenticated user to gain access the HelpBox product (by creating a new user for himself using a specially crafted URL that includes SQL code). The following is a partial list of the ASPs we have found to be vulnerable: * editcommentenduser.asp - parameter: sys_comment_id [script doesn't require authentication] * editsuspensionuser.asp - parameter: sys_suspend_id [script doesn't require authentication] * export_data.asp - parameter: table [requires administrative privileges to HelpBox, but allows exporting of any table in the SQL server] * manageanalgrouppreference.asp - parameter: sys_analgroup [requires administrative privileges to HelpBox] * quickinfoassetrequests.asp - parameter: sys_asset_id [script doesn't require authentication] * quickinfoenduserrequests.asp - parameter: sys_eusername [script doesn't require authentication] * requestauditlog.asp - parameter: sys_request_id [script doesn't require authentication] * requestcommentsenduser.asp - parameter: sys_request_id [script doesn't require authentication] * selectrequestapplytemplate.asp - parameter: sys_request_id [requires administrative privileges to HelpBox] * selectrequestlink.asp - parameter: sys_request_id [requires administrative privileges to HelpBox] Those scripts that do not require authentication also allow a remote attacker to retrieve sensitive information from the server (apart from the SQL injection vulnerability). *Example:* By issuing the following URL on a HelpBox SQL edition server a SQL server error the SQL injection vulnerability can be witnessed: http://vulnerablesite/laytonhelpdesk/editcommentenduser.asp?sys_comment_id=1' *Vendor Response:* We have tried contacting the vendor numerous times since 15 April 2004, we have received automated response, promises to contact us, but nothing regarding the above vulnerabilities. *Testing Methodology:* A few months ago Beyond Security built a new module for its Automated Scanning Vulnerability Assessment engine to test web sites and web applications for security vulnerabilities. This module adds the capability to dynamically crawl through a web site and find vulnerabilities in its dynamic pages. This type of tool was considered to be different from the network VA tools, but we at Beyond Security believe that these two types of tools should be merged into one, and this is what made us incorporate the Web Site Security Audit module to our Automated Scanning engine. For a press release on this integration see: http://www.beyondsecurity.com/press/2004/press10030402.htm White paper on the first integrated network and web application vulnerability scanner: http://www.beyondsecurity.com/webscan-wp.pdf Our Automated Scanning engine equipped with the Web Site Security Audit module did all the tests described in this advisory automatically. *Additional information* The information has been provided by Noam Rathaus