CVE-2002-0607
CVSS7.5
发布时间 :2002-06-18 00:00:00
修订时间 :2008-09-05 16:28:28
NMCOES    

[原文]members.asp in Snitz Forums 2000 version 3.3.03 and earlier allows remote attackers to execute arbitrary code via a SQL injection attack on the parameters (1) M_NAME, (2) UserName, (3) FirstName, (4) LastName, or (5) INITIAL.


[CNNVD]Snitz Forums 2000 Members.ASP可插入SQL指令漏洞(CNNVD-200206-033)

        
        Snitz Forums 2000是一款基于ASP的WEB论坛程序,可运行在Microsoft Windows操作系统下,支持Microsoft Access 97/2000,SQL Server 6.5/7.0/2000和MySQL。
        Snitz Forums 2000中的members.asp脚本对用户输入缺少正确的检查,可以导致攻击者插入SQL命令对数据库进行操作。
        在members.asp脚本中,当按标准列出成员信息时,input (M_NAME)没有很好的检查用户提交的数据,攻击者可以提交与UNION结合的SELECT语句对数据库进行操作,导致数据库任意数据被查看或者破坏数据库。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:snitz_communications:snitz_forums_2000:3.1:sr4Snitz Communications Snitz Forums 2000 3.1 SR4
cpe:/a:snitz_communications:snitz_forums_2000:3.3.01Snitz Communications Snitz Forums 2000 3.3.01
cpe:/a:snitz_communications:snitz_forums_2000:3.0Snitz Communications Snitz Forums 2000 3.0
cpe:/a:snitz_communications:snitz_forums_2000:3.3.02Snitz Communications Snitz Forums 2000 3.3.02
cpe:/a:snitz_communications:snitz_forums_2000:3.3Snitz Communications Snitz Forums 2000 3.3
cpe:/a:snitz_communications:snitz_forums_2000:3.3.03Snitz Communications Snitz Forums 2000 3.3.03

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0607
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0607
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-033
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4558
(VENDOR_ADVISORY)  BID  4558
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26770
(PATCH)  CONFIRM  http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26770
http://archives.neohapsis.com/archives/bugtraq/2002-04/0279.html
(VENDOR_ADVISORY)  BUGTRAQ  20020419 Snitz Forums 2000 remote SQL query manipulation vulnerability
http://www.iss.net/security_center/static/8898.php
(VENDOR_ADVISORY)  XF  snitz-members-sql-injection(8898)

- 漏洞信息

Snitz Forums 2000 Members.ASP可插入SQL指令漏洞
高危 输入验证
2002-06-18 00:00:00 2006-08-24 00:00:00
远程  
        
        Snitz Forums 2000是一款基于ASP的WEB论坛程序,可运行在Microsoft Windows操作系统下,支持Microsoft Access 97/2000,SQL Server 6.5/7.0/2000和MySQL。
        Snitz Forums 2000中的members.asp脚本对用户输入缺少正确的检查,可以导致攻击者插入SQL命令对数据库进行操作。
        在members.asp脚本中,当按标准列出成员信息时,input (M_NAME)没有很好的检查用户提交的数据,攻击者可以提交与UNION结合的SELECT语句对数据库进行操作,导致数据库任意数据被查看或者破坏数据库。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在members.asp中,改变如下行:
        SearchName = Request("M_NAME")
        if SearchName = "" then
        SearchName = Request.Form("M_NAME")
        end if
        为:
        if IsValidString(Request("M_NAME")) then
        SearchName = Request("M_NAME")
        end if
        if SearchName = "" then
        if IsValidString(Request.Form("M_NAME")) then
        SearchName = Request.Form("M_NAME")
        end if
        end if
        在inc_function.asp中的IsValidString(sValidate)函数中,改变:
        sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"
        为
        sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"
        厂商补丁:
        Snitz Forums 2000
        -----------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://forum.snitz.com/

- 漏洞信息 (21400)

Snitz Forums 2000 3.x Members.ASP SQL Injection Vulnerability (EDBID:21400)
asp webapps
2002-04-19 Verified
0 acemi
N/A [点击下载]
source: http://www.securityfocus.com/bid/4558/info

Snitz Forums 2000 is ASP-based web forum software. It runs on Microsoft Windows operating systems. Snitz is back-ended by a database and supports Microsoft Access 97/2000, SQL Server 6.5/7.0/2000 and MySQL.

It is possible for a remote attacker to inject SQL into queries made by the members.asp script.

Depending on the database implementation used, this may possibly result in sensitive information information in the database being disclosed or may enable the attacker to modify data. There is also the possibility that this issue may be leveraged to exploit vulnerabilities that may exist in the underlying database. 

Normally, to view the members' list whose
membername start with 'A', members.asp page is
used as the following:

/members.asp?
mode=search&M_NAME=A&initial=1&method=


Use this link to view the vulnerability:

/members.asp?mode=search&M_NAME=XXXX%
25')%20UNION%20SELECT%20MEMBER_ID,%
20M_STATUS,%20M_NAME%20%2B%20'/'%20%
2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,% 		

- 漏洞信息

10069
Snitz Forums members.asp Multiple Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-04-19 Unknow
2002-04-19 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Snitz Forums 2000 Members.ASP SQL Injection Vulnerability
Input Validation Error 4558
Yes No
2002-04-19 12:00:00 2009-07-11 12:46:00
Discovery of this issue is credited to acemi <acemi_5@yahoo.com>.

- 受影响的程序版本

Snitz Forums 2000 Snitz Forums 2000 3.3 .03
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0
Snitz Forums 2000 Snitz Forums 2000 3.3 .02
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0
Snitz Forums 2000 Snitz Forums 2000 3.3 .01
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0
Snitz Forums 2000 Snitz Forums 2000 3.3
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0
Snitz Forums 2000 Snitz Forums 2000 3.1
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0
Snitz Forums 2000 Snitz Forums 2000 3.0
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0

- 漏洞讨论

Snitz Forums 2000 is ASP-based web forum software. It runs on Microsoft Windows operating systems. Snitz is back-ended by a database and supports Microsoft Access 97/2000, SQL Server 6.5/7.0/2000 and MySQL.

It is possible for a remote attacker to inject SQL into queries made by the members.asp script.

Depending on the database implementation used, this may possibly result in sensitive information information in the database being disclosed or may enable the attacker to modify data. There is also the possibility that this issue may be leveraged to exploit vulnerabilities that may exist in the underlying database.

- 漏洞利用

This may be exploited with a web browser. The following proof-of-concept was provided:

Normally, to view the members' list whose
membername start with 'A', members.asp page is
used as the following:

/members.asp?
mode=search&amp;M_NAME=A&amp;initial=1&amp;method=


Use this link to view the vulnerability:

/members.asp?mode=search&amp;M_NAME=XXXX%
25')%20UNION%20SELECT%20MEMBER_ID,%
20M_STATUS,%20M_NAME%20%2B%20'/'%20%
2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%

- 解决方案

The vendor has provided fix information at the following location:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26776

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站