Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - 3rd party security issues
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

3rd party security issues
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
zy8rr View Drop Down
Newbie
Newbie


Joined: 13 May 2008
Status: Offline
Points: 11 		Post Options Post Options   Thanks (0) Thanks(0)   Quote zy8rr Quote  Post ReplyReply Direct Link To This Post Topic: 3rd party security issues
    Posted: 13 May 2008 at 5:48am
Hi, my company deployed the forum v9.0.8 to a website.

A 3rd party company tested the deployed forum and came back with some SQL injection and cross-site scripting issues, as below.

so my question is:
what do I need to consider when changing the code myself to suit the security requirements (e.g. does the parameter returnURL need to have URL encoded values - %3D %3F etc?)


login_user.asp
The following changes were applied to the original request:
- Set parameter 'password's value to '1234%a5'%20having%201=1--'
Validation In Response:
- /><strong>File Name:-</strong> functions_login.asp<br /><br /><strong>Error
details:-</strong><br />Microsoft OLE DB Provider for SQL Server<br />Optimistic
concurrency check failed. The row was modified outside of t

login_user.asp
The following changes were applied to the original request:
- Set parameter 'returnURL's value to 'login_user.asp%3F%27%22WFXSSProbe%29%2F%3E'
Validation In Response:
- /><strong>File Name:-</strong> functions_login.asp<br /><br /><strong>Error
details:-</strong><br />Microsoft OLE DB Provider for SQL Server<br />Optimistic
concurrency check failed. The row was modified outside of t


Thanks,
Zhen Yang
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 13 May 2008 at 8:47am
Both of these are database errors and neither of 'password' or 'returnURL' are used for any type of database query, so I can not see how these errors can be produced without modifying the code.

Have you modified the forums code yourself?

If not please use the Report Software Vulnerability form at http://www.webwiz.net/contact/ with as much detail as possible, including what was passed to the login page to course this, so that this vulnerability can be fixed ASAP.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 13 May 2008 at 9:59am
I have looked into this and these are actually false positives produced by the app test software.

Both of these give the same database error message which has nothing to do with XSS or SQL Injections.

XSS and  SQL Injections are taken care of by Web Wiz Forums in the original unmodified code for the login.

The error message itself is a custom error message produced by Web Wiz Forums.

What is happening is that the test software is running multiple simultaneous tests on the same forum user account. Each time an incorrect login is made Web Wiz Forums is saves  the number of 'bad' login attempts on that account.

As performance isn't a major issue on this page as multiple simultaneous login attempts at the same split second should not happen in normal use ADO is used for the update were the data is read into a recordset when getting the data on the user and then the recordset is updated before being saved back to the database.

What is happening is that inbetween reading in the data for the user another simultaneous test on the same user account has already updated the database. Meaning the data read in is a 'dirty' read, and when it goes to save the data back to the database ADO throws an error that the data has already been updated due to the other simulations test on the users account and returns the error message you see below:-

Optimistic concurrency check failed. The row was modified outside of this cursor.

This means that the test software being used is throwing a 'false positive' as nether these tests are SQL Injection or XSS, and what is happening in effect is that the test software is coursing what is effectively a DOS attack on the login page coursing ADO to throw an error message which is unrelated to the actual type of test being performed.

If you run the test again, but this time get the app test software to run at a slower pace, without to many simultaneous tests on the login_user.asp page it should pass the tests without any issues.


Edited by WebWiz-Bruce - 13 May 2008 at 10:02am
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
zy8rr View Drop Down
Newbie
Newbie


Joined: 13 May 2008
Status: Offline
Points: 11 		Post Options Post Options   Thanks (0) Thanks(0)   Quote zy8rr Quote  Post ReplyReply Direct Link To This Post Posted: 14 May 2008 at 7:12am
ok thanks!
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.