RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification

Nick Lothian <nl@essential.com.au> · Fri, 14 Jun 2002 09:53:52 +0930

I am unfamiliar with <Body>Builder (and their site is in Russian so I can't
find a link), but in normal java web development pages named *_jsp.java are
generated java code from .jsp files. 

The name of the *_jsp.java files is non-standard and varies between servlet
engine implementations. The behaviour of the servlet engine when these files
are modified is also non-standard (Some will recompile the file to pickup
the changes, but others - eg Tomcat 3.2 - will not). 

The recommended fix should be implemented in the .jsp files (if available -
they are sometimes shipped inside a .war file), not the .java files. Of
course, if the *.jsp files are unavailable then this may the best possible
work-around.

Regards,
  Nick Lothian

> -----Original Message-----
> From: Alexander Korchagin [mailto:akor@tsaritsyno.ru]
> Sent: Friday, 14 June 2002 1:17 AM
> To: bugtraq@securityfocus.com
> Subject: [LBYTE] Ruslan Communications <BODY>Builder SQL modification
> 
> 
> 
> Original reference: 
> http://www.security.nnov.ru/search/news.asp?binid=2092
> 
> Title:          <BODY>Builder SQL modification
> Author:         mam0nt of Limpid Byte http://lbyte.void.ru/
> Vendor:         Ruslan Communications
> Vendor URL:     http://ruslan-com.ru/
> Vendor Status:  Contacted, not replied
> Released:       June, 13 2002
> 
> Background:
> 
>  <Body>Builder  is  a  site  building  engine  by  Ruslan 
> Communications
>  written  in  Java.  It has administrative access via 
> http://site/Admin.
>  All accounts are stored in database and accessed via SQL.
> 
> Problem:
> 
>  Leak  of  input  validation  from server side allows user to 
> modify SQL
>  request  during authentication. It may be used to access 
> administrative
>  interface without password or to run any SQL request on backend.
> 
> Exploitation:
> 
>  Use login='-- and pass='--
> 
> Solution:
> 
>  Edit _login__jsp.java:
> 
>           -- cut --
>           java.lang.String _jspParam;
>           _jspParam = request.getParameter("username");
>           if (_jspParam != null && ! _jspParam.equals("") && 
> _checkvalue(_jspParam) )
>            Log.setUsername(_jspParam);
>           _jspParam = request.getParameter("password");
>           if (_jspParam != null && ! _jspParam.equals("") && 
> _checkvalue(_jspParam) )
>            Log.setPassword(_jspParam);
>           --cut--
> 
>  Add new function called _checkvalue
> 
>           public static boolean _checkvalue(java.lang.String _value)
>           {
>            int count;
>            char temp;
>            for (count=0;count<_value.length();count++)
>            {
>             temp=_value.charAt(count);
>             if (temp=='\'' ) return false;
>            }
>             return true;
>           }
>                 
> Vendor:
> 
>  Vendor notified via e-mail without feedback.
> 