so IRMPLC goes from xss in cisco products to sql injection in a small user base webapp?
I think you may need to fire your current 'research' team and start over On Mon, Apr 21, 2008 at 11:06 AM, Mark Crowther <[EMAIL PROTECTED]> wrote: > RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613) > > > > http://www.irmplc.com/index.php/167-Advisory-026 > > > > > > Vulnerability Type/Importance: SQL injection/Critical > > > > Problem Discovered: 12 February 2008 > > Vendor Contacted: 19 February 2008 > > Advisory Published: 21 April 2008 > > > > > > Abstract: > > The RedDot CMS Product (http://www.reddot.com) is vulnerable to a > pre-authentication SQL injection vulnerability which, when exploited, allows > enumeration of all SQL database content. > > > > Description: > > The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the > language context for the CMS application. The vulnerability exists as a > result of inadequate validation of user-supplied input within this > parameter. > > > > > > Technical Details: > > Normal input for the 'LngId' parameter contains a code such as ENG, DEU, > JP, denoting the language type. This parameter is not properly validated and > the injection of SQL statements within it allows attackers unrestricted > access to enumerate information from the database. For example: > > > > > https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0FROM > IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) > and name> '' ORDER BY 1;-- &DisableAutoLogin=1 > > > > Proof of Concept: > > A Proof of Concept (RDdbenum.py) has been developed to automate > enumeration of entire database content available from > http://www.irmplc.com/Tools/RDdbenum.py > > > > > > Workaround / Solutions: > > There are no known workarounds for this vulnerability > > The Vendor has released a patch for this vulnerability, Release 7.5.1.86, > available from normal Red Dot customer support contacts. > > > > > > Tested / Affected Versions: > > IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 > Build 7.5.0.48, tested with Microsoft SQL Server 2005 database. > > It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; > however this has not been fully verified. > > > > > > Credits: > > Research and Advisory: Mark Crowther and Rodrigo Marcos > > > > > > Disclaimer: > > All information in this advisory is provided on an 'as is' basis in the > hope that it will be useful. Information Risk Management Plc is not > responsible for any risks or occurrences caused by the application of this > information. > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
