Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 New Security related bug-fix - members.asp(v3.3.x)
 Forum Locked  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 5

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 23 April 2002 :  15:47:20  Show Profile
There is a security bug in members.asp that everyone should fix ASAP. Here is what to do:

find this section of code (near the top of members.asp):

if Request.QueryString("method") <> "" then
SortMethod = Request.QueryString("method")
end if
SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if

srchUName = Request("UserName")
srchFName = Request("FirstName")
srchLName = Request("LastName")
srchInitial = Request("INITIAL")

mypage = request("whichpage")



Replace it with this:

if trim(chkString(Request.QueryString("method"),"SQLString")) <> "" then
SortMethod = trim(chkString(Request.QueryString("method"),"SQLString"))
end if
SearchName = trim(chkString(Request("M_NAME"),"SQLString"))
if SearchName = "" then
SearchName = trim(chkString(Request.Form("M_NAME"),"SQLString"))
end if

srchUName = trim(chkString(Request("UserName"),"SQLString"))
srchFName = trim(chkString(Request("FirstName"),"SQLString"))
srchLName = trim(chkString(Request("LastName"),"SQLString"))
srchInitial = trim(chkString(Request("INITIAL"),"SQLString"))

if IsNumeric(srchUName) <> True then srchUName = "1"
if IsNumeric(srchFName) <> True then srchFName = "0"
if IsNumeric(srchLName) <> True then srchLName = "0"
if IsNumeric(srchInitial) <> True then srchInitial = "0"

mypage = trim(chkString(request("whichpage"),"SQLString"))

nomad_2k
Junior Member

United Kingdom
173 Posts

Posted - 23 April 2002 :  15:33:41  Show Profile
quote:


SearchName = trim(chkString(Request("M_NAME"),"SQLString"))

...

srchUName = trim(chkString(Request("UserName"),"SQLString"))
srchFName = trim(chkString(Request("FirstName"),"SQLString"))
srchLName = trim(chkString(Request("LastName"),"SQLString"))
srchInitial = trim(chkString(Request("INITIAL"),"SQLString"))

...

mypage = trim(chkString(request("whichpage"),"SQLString"))




Richard is there any reason why the quoted lines above use Request instead of Request.Form?


Good things come to those who wait.
http://www.freeasphost.co.uk/evolution/
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 23 April 2002 :  15:38:08  Show Profile
Because when using paging, the values are passed in the Querystring instead of the form.
Go to Top of Page

MarkJH
Senior Member

United Kingdom
1722 Posts

Posted - 23 April 2002 :  16:37:27  Show Profile  Visit MarkJH's Homepage
Whoah, 'somebody' hacked into my forum and warned me of this using my screenname. Hopefully fixed now.

Could we have an explanation of how this breach occurs?

bandlink.net - http://www.bandlink.net/
bandlink music forums - http://www.bandlink.net/forum/
Go to Top of Page

speedway
New Member

88 Posts

Posted - 23 April 2002 :  16:59:10  Show Profile
Thanks Richard.

Not interested in knowing how to hack the forum but done my changes and wanted to know what I should test just to check I have done the changes correctly.

Snitz V3.3
SQL Server 7
IIS4
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 23 April 2002 :  17:24:57  Show Profile
Out of respect for those who haven't applied the fix yet, I'd really rather not advertise how to exploit this bug.
Go to Top of Page

MarkJH
Senior Member

United Kingdom
1722 Posts

Posted - 23 April 2002 :  18:00:08  Show Profile  Visit MarkJH's Homepage
Err, good point!

bandlink.net - http://www.bandlink.net/
bandlink music forums - http://www.bandlink.net/forum/
Go to Top of Page

Deleted
deleted

4116 Posts

Posted - 23 April 2002 :  18:16:05  Show Profile
Just releasing patch004 for v4b03 which only includes members.asp ...


Think Pink
==> Start Internationalization Here
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 23 April 2002 :  18:24:35  Show Profile  Send ruirib a Yahoo! Message
quote:

Just releasing patch004 for v4b03 which only includes members.asp ...


Think Pink
==> Start Internationalization Here


The situation does require such a move. Well done Bozden .

-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Go to Top of Page

nomad_2k
Junior Member

United Kingdom
173 Posts

Posted - 23 April 2002 :  19:13:55  Show Profile
Richard a similar fix might be needed for search.asp


Good things come to those who wait.
http://www.freeasphost.co.uk/evolution/
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 23 April 2002 :  19:34:37  Show Profile
I'm pretty sure there was already a Bug Report for Search.asp and the fix was posted at that time. I'll look and see if I can find it.

This is the only known problem with search.asp I am aware of:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=22441

And also this:

http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=18231

But Since Search.asp only gets data from the Form Element, it's not as easy as just changing the values in the QueryString.
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 24 April 2002 :  00:33:53  Show Profile  Visit Gremlin's Homepage
ick, I see the hole, thats kind of nasty really.

www.daoc-halo.com
Go to Top of Page

Gump
Starting Member

1 Posts

Posted - 24 April 2002 :  03:48:02  Show Profile
I an newbie to ASP and your wonderful forum.

I have just applied the bugfix, but got an error:

-----------------------------------------------------
Microsoft VBScript compilation error '800a03f6'

Expected 'End'

/forum/members.asp, line 553
-----------------------------------------------------

I havent modified anything else in members.asp


Go to Top of Page

stevader
Starting Member

United Kingdom
1 Posts

Posted - 24 April 2002 :  06:15:36  Show Profile
Does this apply to earlier versions of the forum, I have updated most of mine, but one I found the members.asp page reads like:

<!--#INCLUDE FILE="config.asp" -->
<!--#INCLUDE FILE="inc_functions.asp" -->
<!--#INCLUDE FILE="inc_top.asp" -->
<%
mypage = request("whichpage")
if mypage = "" then
mypage = 1
end if
'mypagesize = request("pagesize")
'if mypagesize = "" then
' mypagesize = 15
'end if

right at the top - which is quite different I believe.

Go to Top of Page

work mule
Senior Member

USA
1358 Posts

Posted - 24 April 2002 :  11:20:44  Show Profile
quote:

Out of respect for those who haven't applied the fix yet, I'd really rather not advertise how to exploit this bug.



No disrespect intended, but the information has already been distributed. Most likely, those people who would be the people to exploit this, already know about it.

I found out about this from another source, third-hand at that. A co-worker who knew we were using Snitz forwarded the message on to me. Otherwise I would have had no idea.


To: BugTraq
Subject: Snitz Forums 2000 remote SQL query manipulation vulnerability
Date: Apr 19 2002 9:06PM
Author: acemi <xxxxxx@yahoo.com>
Message-ID: <20020419210646.23194.qmail@mail.securityfocus.com>


So...unless you can delete the email from anyone who's on this list and from their website, the information is public knowledge. I have to give you guys credit for posting the information within a couple of days of this notice, but this information was public knowledge on this particular list on the 19th.

It's a dilemna...do you keep the user community "protected" from this information or not? You can choose not to publish the information here on exactly what the exploit is, but the people who are going to exploit the bug know that they can search on the web for the information and find it.

My opinion is that people need to know how it's done so that they can be aware of this in the future, especially MOD developers. Ignorance is our worst enemy. So while this may fix this page, as developers we have to know what the problem was so we can see if the same exploit can be used elsewhere on this code and/or other applications we're using.

I know it sucks, but what can you do but deal with it?!

Be informed...



Edited by - work mule on 24 April 2002 11:57:44
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 24 April 2002 :  12:10:55  Show Profile
You know what work mule, if I could, I would round up everyone of those attention seeking people who post crap like this to bugtraq and other places like that and beat the hell out of them. They are not helping anything. Those sites do nothing more than provide a place for hackers to trade information.

I really don't care if the "information" is out there, I am not going to post it on this site. If you want to browse the same places that hackers browse, and support them, be my guest.

If those people really wanted to help, then they would contact the authors about problems before posting to places like bugtraq. But, it's all just a game to them. They want to see how many bugs they can rack up. Their lives are so empty that they have nothing better to do with their time. They don't care that what they are doing does affect people. It's time that they are held responsible for what they are doing.

Am I angry? Hell yes, I'm angry. Because of those people posting to those "security" sites, many people's forums are going to get hacked because of it. And they are going to come here asking why. If they waited until after we had posted the fix, (our fix, not their so called fix since they have no idea what they are talking about), more people could have had the fix installed before they got their kicks with posting to those "security" sites.

For this irresponsible bug reporting we have:

acemi_5@yahoo.com

to thank. So anyone who has had their forum hacked since (I think work mule said April 19th), send a thank you e-mail to acemi_5@yahoo.com .
Go to Top of Page
Page: of 5 Previous Topic Topic Next Topic  
Next Page
 Forum Locked  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.16 seconds. Powered By: Snitz Forums 2000 Version 3.4.07