by r0t,der4444,cembo,VietMafia

Friday, November 25, 2005

cSupport "pg" SQL inj.

cSupport "pg" SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.forperfect.com
Product link:http://www.forperfect.com/csupport/
affected vesion:1.0 and prior

Vuln. Description:
Input passed to the "pg" parameter in "tickets.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/csupport/tickets.php?param=dept&dirc=&pg=[SQL]
/csupport/tickets.php?param=dept&dirc=ASC&pg=[SQL]
/csupport/tickets.php?param=dept&dirc=DESC&pg=[SQL]
/csupport/tickets.php?param=name&dirc=&pg=[SQL]
/csupport/tickets.php?param=subject&dirc=ASC&pg=[SQL]
/csupport/tickets.php?param=timestamp&dirc=DESC&pg=[SQL]
/csupport/tickets.php?param=id&dirc=ASC&pg=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Anonymous Anonymous told...

False alarm... The cSupport logic has this section to verify the pg value:
---
$pgnum = $_REQUEST['pg'];
if(!isset($pgnum) || is_nan($pgnum)){
$pgnum = 0;
}
---
If pg value is SQL code, the $pgnum will be reset to 0. It causes no security defect.

Thanks.

4:50 AM

 
Blogger r0t told...

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4617

10:46 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew