| Author |
 Topic  |
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
 Posted - 23 April 2002 : 15:47:20
|
There is a security bug in members.asp that everyone should fix ASAP. Here is what to do:
find this section of code (near the top of members.asp):
if Request.QueryString("method") <> "" then
SortMethod = Request.QueryString("method")
end if
SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if
srchUName = Request("UserName")
srchFName = Request("FirstName")
srchLName = Request("LastName")
srchInitial = Request("INITIAL")
mypage = request("whichpage")
Replace it with this:
if trim(chkString(Request.QueryString("method"),"SQLString")) <> "" then
SortMethod = trim(chkString(Request.QueryString("method"),"SQLString"))
end if
SearchName = trim(chkString(Request("M_NAME"),"SQLString"))
if SearchName = "" then
SearchName = trim(chkString(Request.Form("M_NAME"),"SQLString"))
end if
srchUName = trim(chkString(Request("UserName"),"SQLString"))
srchFName = trim(chkString(Request("FirstName"),"SQLString"))
srchLName = trim(chkString(Request("LastName"),"SQLString"))
srchInitial = trim(chkString(Request("INITIAL"),"SQLString"))
if IsNumeric(srchUName) <> True then srchUName = "1"
if IsNumeric(srchFName) <> True then srchFName = "0"
if IsNumeric(srchLName) <> True then srchLName = "0"
if IsNumeric(srchInitial) <> True then srchInitial = "0"
mypage = trim(chkString(request("whichpage"),"SQLString")) |
|
|
nomad_2k
Junior Member
United Kingdom
173 Posts |
Posted - 23 April 2002 : 15:33:41
|
quote:
SearchName = trim(chkString(Request("M_NAME"),"SQLString"))
...
srchUName = trim(chkString(Request("UserName"),"SQLString"))
srchFName = trim(chkString(Request("FirstName"),"SQLString"))
srchLName = trim(chkString(Request("LastName"),"SQLString"))
srchInitial = trim(chkString(Request("INITIAL"),"SQLString"))
...
mypage = trim(chkString(request("whichpage"),"SQLString"))
Richard is there any reason why the quoted lines above use Request instead of Request.Form?
Good things come to those who wait.
http://www.freeasphost.co.uk/evolution/ |
 |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 23 April 2002 : 15:38:08
|
| Because when using paging, the values are passed in the Querystring instead of the form. |
|
|
|
MarkJH
Senior Member
United Kingdom
1722 Posts |
Posted - 23 April 2002 : 16:37:27
|
Whoah, 'somebody' hacked into my forum and warned me of this using my screenname. Hopefully fixed now.
Could we have an explanation of how this breach occurs?
bandlink.net - http://www.bandlink.net/
bandlink music forums - http://www.bandlink.net/forum/ |
|
|
|
speedway
New Member
88 Posts |
Posted - 23 April 2002 : 16:59:10
|
Thanks Richard.
Not interested in knowing how to hack the forum but done my changes and wanted to know what I should test just to check I have done the changes correctly.
Snitz V3.3
SQL Server 7
IIS4 |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 23 April 2002 : 17:24:57
|
| Out of respect for those who haven't applied the fix yet, I'd really rather not advertise how to exploit this bug. |
|
|
|
MarkJH
Senior Member
United Kingdom
1722 Posts |
|
|
Deleted
deleted
4116 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
nomad_2k
Junior Member
United Kingdom
173 Posts |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 24 April 2002 : 00:33:53
|
ick, I see the hole, thats kind of nasty really.
www.daoc-halo.com |
|
|
|
Gump
Starting Member
1 Posts |
Posted - 24 April 2002 : 03:48:02
|
I an newbie to ASP and your wonderful forum.
I have just applied the bugfix, but got an error:
-----------------------------------------------------
Microsoft VBScript compilation error '800a03f6'
Expected 'End'
/forum/members.asp, line 553
-----------------------------------------------------
I havent modified anything else in members.asp
|
|
|
|
stevader
Starting Member
United Kingdom
1 Posts |
Posted - 24 April 2002 : 06:15:36
|
Does this apply to earlier versions of the forum, I have updated most of mine, but one I found the members.asp page reads like:
<!--#INCLUDE FILE="config.asp" -->
<!--#INCLUDE FILE="inc_functions.asp" -->
<!--#INCLUDE FILE="inc_top.asp" -->
<%
mypage = request("whichpage")
if mypage = "" then
mypage = 1
end if
'mypagesize = request("pagesize")
'if mypagesize = "" then
' mypagesize = 15
'end if
right at the top - which is quite different I believe.
|
|
|
|
work mule
Senior Member
USA
1358 Posts |
Posted - 24 April 2002 : 11:20:44
|
quote:
Out of respect for those who haven't applied the fix yet, I'd really rather not advertise how to exploit this bug.
No disrespect intended, but the information has already been distributed. Most likely, those people who would be the people to exploit this, already know about it.
I found out about this from another source, third-hand at that. A co-worker who knew we were using Snitz forwarded the message on to me. Otherwise I would have had no idea.
To: BugTraq
Subject: Snitz Forums 2000 remote SQL query manipulation vulnerability
Date: Apr 19 2002 9:06PM
Author: acemi <xxxxxx@yahoo.com>
Message-ID: <20020419210646.23194.qmail@mail.securityfocus.com>
So...unless you can delete the email from anyone who's on this list and from their website, the information is public knowledge. I have to give you guys credit for posting the information within a couple of days of this notice, but this information was public knowledge on this particular list on the 19th.
It's a dilemna...do you keep the user community "protected" from this information or not? You can choose not to publish the information here on exactly what the exploit is, but the people who are going to exploit the bug know that they can search on the web for the information and find it.
My opinion is that people need to know how it's done so that they can be aware of this in the future, especially MOD developers. Ignorance is our worst enemy. So while this may fix this page, as developers we have to know what the problem was so we can see if the same exploit can be used elsewhere on this code and/or other applications we're using.
I know it sucks, but what can you do but deal with it?!
Be informed...
Edited by - work mule on 24 April 2002 11:57:44 |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 24 April 2002 : 12:10:55
|
You know what work mule, if I could, I would round up everyone of those attention seeking people who post crap like this to bugtraq and other places like that and beat the hell out of them. They are not helping anything. Those sites do nothing more than provide a place for hackers to trade information.
I really don't care if the "information" is out there, I am not going to post it on this site. If you want to browse the same places that hackers browse, and support them, be my guest.
If those people really wanted to help, then they would contact the authors about problems before posting to places like bugtraq. But, it's all just a game to them. They want to see how many bugs they can rack up. Their lives are so empty that they have nothing better to do with their time. They don't care that what they are doing does affect people. It's time that they are held responsible for what they are doing.
Am I angry? Hell yes, I'm angry. Because of those people posting to those "security" sites, many people's forums are going to get hacked because of it. And they are going to come here asking why. If they waited until after we had posted the fix, (our fix, not their so called fix since they have no idea what they are talking about), more people could have had the fix installed before they got their kicks with posting to those "security" sites.
For this irresponsible bug reporting we have:
acemi_5@yahoo.com
to thank. So anyone who has had their forum hacked since (I think work mule said April 19th), send a thank you e-mail to acemi_5@yahoo.com . |
|
|
|
Topic |
|
Forum Locked
Topic Locked
Err, good point!
.