Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  The Rat CMS (SQL/XSS) Multiple Remote Vulnerabilities

  [ECHO_ADV_99$2008] Relative Real Estate Systems <= 3.0 (listing_id) Sql Injection Vulnerability

  RSS-aggregator (display) Remote File Inclusion Vulnerability

  IdeBox (include) Remote File Inclusion Vulnerability

From:pelzi_(at)_pelzi.net <pelzi_(at)_pelzi.net>
Date:26 июня 2008 г.
Subject:Multiple vulnerabilities in TietoEnator's Procapita school administration system, at least version "842 Procapita 840SP1"

Product: Procapita (school administration system)
Vendor: TietoEnator Abp
Vulnerable versions: unknown
Impact: high
Found: months ago

The login screens of the school administration database system, "login.asp" and "inloggning.asp", as used in an
unnammed school district in Finland, contain SQL injection vulnerabilities, which can be easily detected by inserting
'||' (the oracle string concatenation operator and ending and starting quotes) within a valid password or username
(they still work), or adding an odd number of quotes (resulting in an exception). The "input validation" in JavaScript
must be "defeated" first - there is no signs of any validation done server side.

The program also contains other SQL injection vulnerabilities in text fields etc. accessible after login - especially
ones that are used to search for information, which may allow compromise of sensitive personal information in the
database via injection to a SELECT query.

The program prints exception handlers to the browser, including Oracle database error strings.

The session cookie lacks the 'secure' flag, and if a logged-in user clicks a link with the http: scheme (such links
exist in the school district's web pages) the cookie will be sent in plain text.

The session cookie is not tied to the visitor's IP address.

The program contains pages that automatically print themselves using JavaScript, leading to possible unintended
printing of private information to a network printer since users are accustomed to clicking "OK".

The program gives the user no way of changing the password or disabling the login. The un-changeable password
generated by the system is alphanumeric and only six characters.

The versioning of the program is so vague (the pages have either no version information at all or conflicting
information) that it is impossible to say which versions are vulnerable, especially since I have no access to multiple
installations, any docs or source.

The vulnerabilities have been reported to the vendor when they were found.

Exploits: None known

Fix: Modify code to properly sanitize user input server side.

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород