QUOTE
SecurityTracker Alert ID: 1013934
SecurityTracker URL: http://securitytracker.com/id?1013934
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: May 11 2005
Impact: Disclosure of system information
Exploit Included: Yes
Version(s): 2.0
Description: ComSec from governmentsecurity.org reported a vulnerability in bttlxeForum. A remote user can determine the installation path and some other system information.
A remote user can supply a specially crafted URL containing a scripting code in hex format to cause the system to disclose the installation path and information about the type of database used by the system.
A demonstration exploit URL is provided:
http://[target]/forums/forum.asp?forumid=19&page=0%27%3 E%3C%73%63%72%69%70%74%3E%61%6C
%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E
The vendor has been notified.
Impact: A remote user can determine the installation path and the type of database used.
Solution: No solution was available at the time of this entry.
Vendor URL: forums.bttlxe.com/forums/index.asp (Links to External Site)
Cause: Access control error
Underlying OS: Windows (Any)
Reported By: "ComSec" <deadlink@elitemail.org>
Message History: None.
Source Message Contents
Date: Mon, 09 May 2005 01:47:25 -0700
From: "ComSec" <deadlink@elitemail.org>
Subject: bttlxeForum XSS dirctory path disclosure and DB engine used
hi securitytracker
Product details :
bttlxeForum 2.0 is a popular feature rich database-driven Internet forum
solution.
Written entirely in Active Server Pages and is designed to run under
Microsoft
Windows platforms supporting ASP 3.0 or later and supporting a variety
of common
database formats, it is supplied free of charge with a software-based
installer
to allow you to easily install and configure it on your testing and live
web
servers.
Problem:
by entering a hex encoded script message :
0%27%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%
2F%73%63%72%69%70%74%3E
to a specific path.. in this case
/forum.asp?forumid=19&page=0
to form the full URL
hxxp://forums.bttlxe.com/forums/forum.asp?...%72%69%70%74%3E
Will cause an error revealing what DB engine it uses and also system
directory path were the product is installed
ERROR MESSAGE EXAMPLE:-
Microsoft JET Database Engine error '80040e14'
The SELECT statement includes a reserved word or an argument name that
is misspelled or missing, or the punctuation is incorrect.
C:\DOMAINS\BTTLXE.COM\WWWROOT\FORUMS\FORUMS\../utils/forum/views/normal.asp,
line 256
Vendor informed... not yet fixed
regards
--
ComSec
http://www.governmentsecurity.org/forum
http://www.how-to-hack.org
SecurityTracker URL: http://securitytracker.com/id?1013934
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: May 11 2005
Impact: Disclosure of system information
Exploit Included: Yes
Version(s): 2.0
Description: ComSec from governmentsecurity.org reported a vulnerability in bttlxeForum. A remote user can determine the installation path and some other system information.
A remote user can supply a specially crafted URL containing a scripting code in hex format to cause the system to disclose the installation path and information about the type of database used by the system.
A demonstration exploit URL is provided:
http://[target]/forums/forum.asp?forumid=19&page=0%27%3 E%3C%73%63%72%69%70%74%3E%61%6C
%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E
The vendor has been notified.
Impact: A remote user can determine the installation path and the type of database used.
Solution: No solution was available at the time of this entry.
Vendor URL: forums.bttlxe.com/forums/index.asp (Links to External Site)
Cause: Access control error
Underlying OS: Windows (Any)
Reported By: "ComSec" <deadlink@elitemail.org>
Message History: None.
Source Message Contents
Date: Mon, 09 May 2005 01:47:25 -0700
From: "ComSec" <deadlink@elitemail.org>
Subject: bttlxeForum XSS dirctory path disclosure and DB engine used
hi securitytracker
Product details :
bttlxeForum 2.0 is a popular feature rich database-driven Internet forum
solution.
Written entirely in Active Server Pages and is designed to run under
Microsoft
Windows platforms supporting ASP 3.0 or later and supporting a variety
of common
database formats, it is supplied free of charge with a software-based
installer
to allow you to easily install and configure it on your testing and live
web
servers.
Problem:
by entering a hex encoded script message :
0%27%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%
2F%73%63%72%69%70%74%3E
to a specific path.. in this case
/forum.asp?forumid=19&page=0
to form the full URL
hxxp://forums.bttlxe.com/forums/forum.asp?...%72%69%70%74%3E
Will cause an error revealing what DB engine it uses and also system
directory path were the product is installed
ERROR MESSAGE EXAMPLE:-
Microsoft JET Database Engine error '80040e14'
The SELECT statement includes a reserved word or an argument name that
is misspelled or missing, or the punctuation is incorrect.
C:\DOMAINS\BTTLXE.COM\WWWROOT\FORUMS\FORUMS\../utils/forum/views/normal.asp,
line 256
Vendor informed... not yet fixed
regards
--
ComSec
http://www.governmentsecurity.org/forum
http://www.how-to-hack.org
