3rd party security issues
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums Modifications
Forum Description: Mod's and Add-on's for Web Wiz Forums.
URL: https://forums.webwiz.net/forum_posts.asp?TID=25714
Printed Date: 29 March 2026 at 2:09pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: 3rd party security issues
Posted By: zy8rr
Subject: 3rd party security issues
Date Posted: 13 May 2008 at 5:48am
Hi, my company deployed the forum v9.0.8 to a website.
A 3rd party company tested the deployed forum and came back with some SQL injection and cross-site scripting issues, as below.
so my question is:
what do I need to consider when changing the code myself to suit the security requirements (e.g. does the parameter returnURL need to have URL encoded values - %3D %3F etc?)
login_user.asp
The following changes were applied to the original request:
- Set parameter 'password's value to '1234%a5'%20having%201=1--'
Validation In Response:
- /><strong>File Name:-</strong> functions_login.asp<br /><br /><strong>Error
details:-</strong><br />Microsoft OLE DB Provider for SQL Server<br />Optimistic
concurrency check failed. The row was modified outside of t
login_user.asp
The following changes were applied to the original request:
- Set parameter 'returnURL's value to 'login_user.asp%3F%27%22WFXSSProbe%29%2F%3E'
Validation In Response:
- /><strong>File Name:-</strong> functions_login.asp<br /><br /><strong>Error
details:-</strong><br />Microsoft OLE DB Provider for SQL Server<br />Optimistic
concurrency check failed. The row was modified outside of t
Thanks,
Zhen Yang
|
Replies:
Posted By: WebWiz-Bruce
Date Posted: 13 May 2008 at 8:47am
Both of these are database errors and neither of 'password' or 'returnURL' are used for any type of database query, so I can not see how these errors can be produced without modifying the code.
Have you modified the forums code yourself?
If not please use the Report Software Vulnerability form at http://www.webwiz.net/contact/ with as much detail as possible, including what was passed to the login page to course this, so that this vulnerability can be fixed ASAP.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: WebWiz-Bruce
Date Posted: 13 May 2008 at 9:59am
I have looked into this and these are actually false positives produced by the app test software.
Both of these give the same database error message which has nothing to do with XSS or SQL Injections.
XSS and SQL Injections are taken care of by Web Wiz Forums in the original unmodified code for the login.
The error message itself is a custom error message produced by Web Wiz Forums.
What is happening is that the test software is running multiple simultaneous tests on the same forum user account. Each time an incorrect login is made Web Wiz Forums is saves the number of 'bad' login attempts on that account.
As performance isn't a major issue on this page as multiple simultaneous login attempts at the same split second should not happen in normal use ADO is used for the update were the data is read into a recordset when getting the data on the user and then the recordset is updated before being saved back to the database.
What is happening is that inbetween reading in the data for the user another simultaneous test on the same user account has already updated the database. Meaning the data read in is a 'dirty' read, and when it goes to save the data back to the database ADO throws an error that the data has already been updated due to the other simulations test on the users account and returns the error message you see below:-
Optimistic concurrency check failed. The row was modified outside of this cursor.
This means that the test software being used is throwing a 'false positive' as nether these tests are SQL Injection or XSS, and what is happening in effect is that the test software is coursing what is effectively a DOS attack on the login page coursing ADO to throw an error message which is unrelated to the actual type of test being performed.
If you run the test again, but this time get the app test software to run at a slower pace, without to many simultaneous tests on the login_user.asp page it should pass the tests without any issues.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: zy8rr
Date Posted: 14 May 2008 at 7:12am
|