Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 026

RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)

Vulnerability Type / Importance: SQL injection / Critical

Problem Discovered 12 February 2008
Vendor Contacted 19 February 2008
Advisory Published 21 April 2008

Abstract

The RedDot CMS Product (http://www.reddot.com) is vulnerable to a pre-authentication SQL injection vulnerability which, when exploited, allows enumeration of all SQL database content.

Description

The ‘LngId’ Parameter passed to IoRD.asp is responsible for assigning the language context for the CMS application. The vulnerability exists as a result of inadequate validation of user-supplied input within this parameter.

Technical Details

Normal input for the ‘LngId’ parameter contains a code such as ENG, DEU, JP, denoting the language type. This parameter is not properly validated and the injection of SQL statements within it allows attackers unrestricted access to enumerate information from the database. For example:

https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=1

Proof of Concept

A working Proof of Concept (RDdbenum.py) has been developed to automate enumeration of entire database content available from http://www.irmplc.com/Tools/RDdbenum.py

Workaround / Solutions

There are no known workarounds for this vulnerability
The Vendor has released a patch for this vulnerability, Release 7.5.1.86, available from normal Red Dot customer support contact.

Tested / Affected Versions

IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.
It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; however this has not been fully verified.

Credits

Research and Advisory: Mark Crowther and Rodrigo Marcos

About IRM

Information Risk Management Plc (IRM) is a vendor independent information risk consultancy, founded in 1998. IRM has become a leader in client side risk assessment, technical level auditing and in the research and development of security vulnerabilities and tools. IRM is headquartered in London with Technical Centres in Europe and Asia as well as Regional Offices in the Far East and North America. Please visit our website at http://www.irmplc.com for further information.

Disclaimer

All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.