____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | \ /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_14$2005 --------------------------------------------------------------------------- Multiple Vulnerabilities in Liberum Help Desk --------------------------------------------------------------------------- Author: Dedi Dwianto Date: June, 02nd 2005 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv14-theday-2005.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Liberum Help Desk version: >0.97.3 url : http://www.liberum.org Author: Liberum Description: Liberum Help Desk is the complete help desk solution for small to medium sized businesses and organizations. This software provides a simple, easy to use web interface for managing and tracking technical support problems. This Software vulnerable Cross-Site Scripting and SQL Injection in many pages. --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Cross-Site Scripting (XSS) * File castnewPost.asp http://[url]/liberum/castnewPost.asp Hole In Input Form Problem Script castnewPost.asp -------------- ... ... strAltEmail = Request.Form("tbxAltEmail") strTitle = Request.Form("tbxTitle") strDescription = Request.Form("txtDescription") strResolution = Request.Form("txtResolution") ... ... Set objCase = New clsCase ... .Title = strTitle .Description = strDescription .Resolution = strResolution .AltEMail = strAltEmail ... -------------- This Script Allow User to Input html Character in newpost.asp page Without Filter. For Example Input data like : - Email : dudul@test.com - Title : test - Description : test Etc * FIle CaseModifyPost.asp Hole In Input Form Problem Script castnewPost.asp -------------- ... ... strAltEmail = Request.Form("tbxAltEmail") strTitle = Request.Form("tbxTitle") strDescription = Request.Form("txtDescription") strResolution = Request.Form("txtResolution") ... ... Set objCase = New clsCase ... .Title = strTitle .Description = strDescription .Resolution = strResolution .AltEMail = strAltEmail ... -------------- B. SQL Injection Multiple SQL Injection some pages. - http://[url]/liberum/view.asp?id='[SQL Injection] - http://[url]/liberum/register.asp?edit='[SQL Injection] - http://[url]/liberum/print.asp?id='[SQL Injection] Problem Script * clsListitem.asp --------------- ... intPage = CInt(Request.Querystring("Page")) ... Public Property Get ID() ' As Long ID = m_ID End Property Public Property Let ID(f_ID) If IsNumeric(f_ID) Then m_ID = f_ID End If End Property ... ... strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID Set rsList = Server.CreateObject("ADODB.RecordSet") rsList.Open strQuery, m_cnnDB ... --------------- * clscategory.asp --------------- ... intPage = CInt(Request.Querystring("Page")) ... Public Property Get ID() ' As Long ID = m_ID End Property Public Property Let ID(f_ID) If IsNumeric(f_ID) Then m_ID = f_ID End If End Property ... ... strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID Set rsList = Server.CreateObject("ADODB.RecordSet") rsList.Open strQuery, m_cnnDB ... --------------- C. Solution Using Replace String and make script for validate input form For Filter some character - castnewPost.asp * Add This Code After ----- Begin ----- EOF * Add Code For Call that function in tag Form find :
replace * Add validate script into all pages for filter XSS * Filter For SQL Injection Find : ... Public Property Let ID(f_ID) If IsNumeric(f_ID) Then m_ID = f_ID ... Replace ... Public Property Let ID(f_ID) If IsNumeric(f_ID) Then m_ID = f_ID f_ID = Replace("f_ID","'","") ... --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous ~ Lieur Euy , MSR ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o@DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ the_day || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------