#7 SQL Injection Vulnerabilities

[Matthew Murphy]

FactoSystem CMS Contains Multiple Vulnerabilities

Impact: Multiple vulnerabilities -- all allowing
manipulation of the backend database
Risk: High
Class: Input Validation Error
Affected System: IIS 4.0 or later with ASP enabled and
FactoSystem CMS installed

Description

Multiple SQL injection vulnerabilities exist in the
FactoSystem Content Management System that may allow an
attacker to introduce instructions into an SQL query.
The vulnerabilities exist because the script fails to
verify the validity of numeric data or fails to
properly escape certain control characters in strings.

The problems are in the handling of the query variables
"authornumber" (in author.asp), and "discussblurbid"
(in discuss.asp), and the form variables "name" and
"email" (in holdcomment.asp). An example is below:

http://localhost/author.asp?authornumber=1%28%20And%20AuthorTable%2EAuthorID%3DBlurbTable%2EAuthorID%20And%20BlurbTable%2ESub_id%3DSubjectTable%2ESub_id%20Order%20By%20BlurbTable%2EBlurbdate%20desc%2C%20blurbtable%2Eblurbtime%20desc%3BUPDATE%20user%20SET%20Password%3DPASSWORD%28%27password%27%29%20WHERE%20user%3D%27root%27%3B%20FLUSH%20PRIVILEGES%3B--

[K. John]

Logged In: YES
user_id=215971

These will be fixed in the next release.