rt-sa-2007-004.txt

`Advisory: ActiveWeb Contentserver CMS SQL Injection Management Interface   
  
RedTeam Pentesting discovered an SQL Injection in the  
picture_real_edit.asp script of the activeWeb contentserver CMS during a  
penetration test. An editor with the permission to edit pictures can  
exploit this by injecting arbitrary commands into the "id" variable used  
to fetch an image from the database.  
  
  
Details  
=======  
  
Product: activeWeb contentserver  
Affected Versions: <= 5.6.2929  
Fixed Versions: 5.6.2964  
Vulnerability Type: SQL-Injection  
Security-Risk: high  
Vendor-URL: http://www.active-web.de/aw/home/Produkte/~gf/contentserver/  
Vendor-Status: informed, fixed version released  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-004.php  
Advisory-Status: public  
CVE: CVE-2007-3013  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3013  
  
  
Introduction  
============  
  
contentserver is the comprehensive, scalable Content Management System  
for professional requirements. It combines editorial system, website  
management and development platform for web applications in one package.  
  
(translation of the description on the vendor's homepage)  
  
  
More Details  
============  
  
By accessing the URL  
  
https://www.example.com/admin/picture/picture_real_edit.asp?id=  
  
an editor can edit images. The images are stored in the SQL database and  
referenced by the variable "id". This variable is not filtered, which  
leads to an SQL Injection. The query which is executed is  
  
SELECT Bezeichnung,ImageKommentar,KatalogID FROM RealobjectSmall WHERE  
ID = '$id'  
  
By injecting commands into the "id" parameter, arbitrary SQL statements  
can be executed. The structure of the query is shown on an error page if  
there is an error in it (e.g., by setting id to a single tick "'"),  
making it easy for an attacker to check the exact syntax he needs to  
exploit the vulnerability. The return values of the query will be shown  
in the form fields of the page.  
  
  
Proof of Concept  
================  
  
The following request shows the version of the SQL server and the  
operating system in the "Bezeichnung" form field, using an SQL UNION:  
  
https://www.example.com/admin/picture/picture_real_edit.asp  
?id='%20union%20select%20@@version%20,@@microsoftversion,@@version--   
  
  
Workaround  
==========  
  
A possible workaround would be to use a filtering application set up in  
front of the real webserver, mitigating the risk of being exploited.  
  
  
Fix  
===  
  
The vulnerability is fixed in release 5.6.2964.  
  
  
Security Risk  
=============  
  
The risk of this vulnerability is high. Any editor with the permissions  
to edit an image can inject SQL Code, completely compromising the  
database.  
  
  
History  
=======  
  
2007-05-23 Problem found during a penetration test  
2007-05-30 Vendor notified by customer  
2007-06-01 Vendor called back and confirmed the vulnerability  
2007-06-18 CVE number assigned  
2007-07-11 Vendor released fixed version  
2007-07-13 Advisory released  
  
The vendor was very cooperative. There was always a competent contact  
person available who answered any questions. They did an additional code  
audit after verifying the vulnerability and fixed similar problems  
immediately.  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`