DUportal 3.1.2 suffers from numerous SQL injection flaws.
8ff5cf542f2fde8de91d5e43f21fe46d56ea3cef30968cbfe7b65b49548c95a0
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01C545EE.4A553BC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=20
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah
Severity: Very High
Title: DUportal 3.1.2 and DUportal 3.1.2 SQL have many sql injection=20
vulnerabilities.
Date: 20/04/2005
Vendor: DUware
Vendor Website: http://www.duware.com
Summary: There are, many sql injections in DUportal 3.1.2 and DUportal=20
3.1.2 SQL.
Proof of Concept Exploits:=20
http://localhost/test_DUportal/home/../home/channel.asp?iChannel=3D'SQL_I=
NJECTION&nChannel=3DArticles
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.
/test_DUportal/includes/inc_channel.asp, line 44
http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&iCa=
t=3D221&iChannel=3D7&nChannel=3DAds
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.
/test_DUportal/includes/inc_detail.asp, line 39
http://localhost/test_DUportal/home/detail.asp?iData=3D136&iCat=3D'SQL_IN=
JECTION&iChannel=3D7&nChannel=3DAds
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 136 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/includes/inc_poll_voting.asp?DAT_PARENT=3D=
'SQL_INJECTION&DAT_CATEGORY=3D254&CHA_ID=3D15&CHA_NAME=3DPolls&DAT_ID=3D1=
12
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'DAT_ID =3D 'SQL_INJECTION'.
/test_DUportal/includes/inc_poll_voting.asp, line 47
http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&iCat=3D=
231&iData=3D'SQL_INJECTION&nChannel=3DProducts&iRate=3D5
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.
/test_DUportal/includes/inc_rating.asp, line 47
http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&iCat=3D=
231&iData=3D86&nChannel=3DProducts&iRate=3D'SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_RATED + ''SQL_INJECTION'.
/test_DUportal/includes/inc_rating.asp, line 47
http://localhost/test_DUportal/home/detail.asp?iData=3D86&iCat=3D'SQL_INJ=
ECTION&iChannel=3D8&nChannel=3DProducts
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 86 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/home/channel.asp?iChannel=3D'SQL_INJECTION=
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.
/test_DUportal/includes/inc_channel.asp, line 44
http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&iCa=
t=3D248&iChannel=3D6&nChannel=3DEvents
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.
/test_DUportal/includes/inc_detail.asp, line 39
http://localhost/test_DUportal/home/detail.asp?iData=3D10&iCat=3D'SQL_INJ=
ECTION&iChannel=3D1&nChannel=3DNews
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 10 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/home/search.asp?keyword=3Ddcrab&iChannel=3D=
'SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in query =
expression 'DAT_CATEGORY =3D CAT_ID AND CHA_ID =3D CAT_CHANNEL AND =
CHA_ID =3D=20
'SQL_INJECTION AND (DAT_NAME LIKE '%dcrab%' OR DAT_DESCRIPTION LIKE =
'%dcrab%') AND DAT_APPROVED =3D 1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED >=20
DATE() AND DAT_PARENT=3D0 ORDER BY CHA_MENU, CAT_NAME, DAT_NAME'.
/test_DUportal/includes/inc_result.asp, line 53
http://localhost/test_DUportal/home/type.asp?iCat=3D'SQL_INJECTION&iChann=
el=3D8&nChannel=3DProducts
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_CATEGORY =3D CAT_ID AND CAT_CHANNEL =
=3D=20
CHA_ID AND DAT_APPROVED=3D1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED > DATE() =
AND DAT_CATEGORY =3D ''SQL_INJECTION'.=20
/test_DUportal/includes/inc_type.asp, line 41
Possible Fixes: The usage of mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing=20
user input to the mysql database, would solve these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.=20
Lookout for my soon to come out book on Secure coding with php.
Sincerely,
Diabolic Crab
Web Security, Research & Development
dP Security
email: dcrab@digitalparadox.org
website: http://www.digitalparadox.org=20
This message is confidential. It may also contain information that is=20
privileged or otherwise legally exempt from disclosure.=20
If you have received it by mistake please let us know by e-mail=20
immediately and delete it from your system; should also not copy=20
the message nor disclose its contents to anyone. Many thanks.
------=_NextPart_000_0008_01C545EE.4A553BC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff><!--StartFragment --> <PRE>Dcrab 's =
Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah
Severity: Very High
Title: DUportal 3.1.2 and DUportal 3.1.2 SQL have many sql injection=20
vulnerabilities.
Date: 20/04/2005
Vendor: DUware
Vendor Website: http://www.duware.com
Summary: There are, many sql injections in DUportal 3.1.2 and DUportal=20
3.1.2 SQL.
Proof of Concept Exploits:=20
http://localhost/test_DUportal/home/../home/channel.asp?iChannel=3D'SQL_I=
NJECTION&nChannel=3DArticles
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.
/test_DUportal/includes/inc_channel.asp, line 44
http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&=
;iCat=3D221&iChannel=3D7&nChannel=3DAds
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.
/test_DUportal/includes/inc_detail.asp, line 39
http://localhost/test_DUportal/home/detail.asp?iData=3D136&iCat=3D'SQ=
L_INJECTION&iChannel=3D7&nChannel=3DAds
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 136 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/includes/inc_poll_voting.asp?DAT_PARENT=3D=
'SQL_INJECTION&DAT_CATEGORY=3D254&CHA_ID=3D15&CHA_NAME=3DPoll=
s&DAT_ID=3D112
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'DAT_ID =3D 'SQL_INJECTION'.
/test_DUportal/includes/inc_poll_voting.asp, line 47
http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&i=
Cat=3D231&iData=3D'SQL_INJECTION&nChannel=3DProducts&iRate=3D=
5
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.
/test_DUportal/includes/inc_rating.asp, line 47
http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&i=
Cat=3D231&iData=3D86&nChannel=3DProducts&iRate=3D'SQL_INJECTI=
ON
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_RATED + ''SQL_INJECTION'.
/test_DUportal/includes/inc_rating.asp, line 47
http://localhost/test_DUportal/home/detail.asp?iData=3D86&iCat=3D'SQL=
_INJECTION&iChannel=3D8&nChannel=3DProducts
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 86 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/home/channel.asp?iChannel=3D'SQL_INJECTION=
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.
/test_DUportal/includes/inc_channel.asp, line 44
http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&=
;iCat=3D248&iChannel=3D6&nChannel=3DEvents
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.
/test_DUportal/includes/inc_detail.asp, line 39
http://localhost/test_DUportal/home/detail.asp?iData=3D10&iCat=3D'SQL=
_INJECTION&iChannel=3D1&nChannel=3DNews
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 10 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.
/test_DUportal/includes/inc_detail_related.asp, line 44
http://localhost/test_DUportal/home/search.asp?keyword=3Ddcrab&iChann=
el=3D'SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in query =
expression 'DAT_CATEGORY =3D CAT_ID AND CHA_ID =3D CAT_CHANNEL AND =
CHA_ID =3D=20
'SQL_INJECTION AND (DAT_NAME LIKE '%dcrab%' OR DAT_DESCRIPTION LIKE =
'%dcrab%') AND DAT_APPROVED =3D 1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED =
>=20
DATE() AND DAT_PARENT=3D0 ORDER BY CHA_MENU, CAT_NAME, DAT_NAME'.
/test_DUportal/includes/inc_result.asp, line 53
http://localhost/test_DUportal/home/type.asp?iCat=3D'SQL_INJECTION&iC=
hannel=3D8&nChannel=3DProducts
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_CATEGORY =3D CAT_ID AND CAT_CHANNEL =
=3D=20
CHA_ID AND DAT_APPROVED=3D1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED > =
DATE() AND DAT_CATEGORY =3D ''SQL_INJECTION'.=20
/test_DUportal/includes/inc_type.asp, line 41
Possible Fixes: The usage of mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing=20
user input to the mysql database, would solve these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.=20
Lookout for my soon to come out book on Secure coding with php.
</PRE>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sincerely,<BR>Diabolic Crab<BR>Web =
Security, =20
Research & Development<BR>dP Security<BR>email: <A=20
href=3D"mailto:dcrab@digitalparadox.org">dcrab@digitalparadox.org</A><BR>=
website:=20
<A =
href=3D"http://www.digitalparadox.org">http://www.digitalparadox.org</A> =
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This message is confidential. It may =
also contain=20
information that is <BR>privileged or otherwise legally exempt from =
disclosure.=20
<BR>If you have received it by mistake please let us know by e-mail=20
<BR>immediately and delete it from your system; should also not copy =
<BR>the=20
message nor disclose its contents to anyone. Many thanks.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0008_01C545EE.4A553BC0--