Home page logo

bugtraq logo Bugtraq mailing list archives

RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification
From: Nick Lothian <nl () essential com au>
Date: Fri, 14 Jun 2002 09:53:52 +0930

I am unfamiliar with <Body>Builder (and their site is in Russian so I can't
find a link), but in normal java web development pages named *_jsp.java are
generated java code from .jsp files. 

The name of the *_jsp.java files is non-standard and varies between servlet
engine implementations. The behaviour of the servlet engine when these files
are modified is also non-standard (Some will recompile the file to pickup
the changes, but others - eg Tomcat 3.2 - will not). 

The recommended fix should be implemented in the .jsp files (if available -
they are sometimes shipped inside a .war file), not the .java files. Of
course, if the *.jsp files are unavailable then this may the best possible

  Nick Lothian

-----Original Message-----
From: Alexander Korchagin [mailto:akor () tsaritsyno ru]
Sent: Friday, 14 June 2002 1:17 AM
To: bugtraq () securityfocus com
Subject: [LBYTE] Ruslan Communications <BODY>Builder SQL modification

Original reference: 

Title:          <BODY>Builder SQL modification
Author:         mam0nt of Limpid Byte http://lbyte.void.ru/
Vendor:         Ruslan Communications
Vendor URL:     http://ruslan-com.ru/
Vendor Status:  Contacted, not replied
Released:       June, 13 2002


 <Body>Builder  is  a  site  building  engine  by  Ruslan 
 written  in  Java.  It has administrative access via 
 All accounts are stored in database and accessed via SQL.


 Leak  of  input  validation  from server side allows user to 
modify SQL
 request  during authentication. It may be used to access 
 interface without password or to run any SQL request on backend.


 Use login='-- and pass='--


 Edit _login__jsp.java:

          -- cut --
          java.lang.String _jspParam;
          _jspParam = request.getParameter("username");
          if (_jspParam != null && ! _jspParam.equals("") && 
_checkvalue(_jspParam) )
          _jspParam = request.getParameter("password");
          if (_jspParam != null && ! _jspParam.equals("") && 
_checkvalue(_jspParam) )

 Add new function called _checkvalue

          public static boolean _checkvalue(java.lang.String _value)
           int count;
           char temp;
           for (count=0;count<_value.length();count++)
            if (temp=='\'' ) return false;
            return true;

 Vendor notified via e-mail without feedback.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]