From: Sir Mordred (mordred@s-mail.com)
To: full-disclosure@lists.netsys.com
Date: Wed, 07 May 2003 15:47:00 +0000
Subject: [Full-Disclosure] @(#)Mordred Labs security notice - exploring the security companies

// @(#)Mordred Labs security notice 0x0002

Name: Exploring the security companies (part one)
Release date: May 7, 2003
Author: Sir Mordred (mordred@s-mail.com)

I. INTRODUCTION

This is a first part of security notice about security companies.
I'd split the original notice because of the amount information contained
in it.
The main topic of this notice is "bad coding habits", next time maybe we
will talk about security audit and the source code audit in particular.

Also i should say - somehow i fell respect to people, who are doing
security and brave enough to build a website with a dynamic content, not 
just a couple of html pages. But sometimes crazy thought crosses my mind - 
maybe it is just a dumb honeypot? :-)

The format for vulnerabilities is:

number) [hostname, the company name]
quotes, comments (if exists)
* ISSUE (number) - description of the vulnerability
blank line
comments (if exists)
blank line
the url to demonstrate this vulnerability
blank line
the error message (if exists)

II. DETAILS

Now lets begin from the rather interesting security company  "e-matters",
and a couple of minutes brings us a several nice issues:


[snip...]


3) [ www.netegrity.com, Netegrity Inc. ]


Netegrity, Inc. is a leading provider of security software solutions that
securely manage 
identities and their access to enterprise information assets, letting
business in while keeping risk out.
Netegrity provides a comprehensive identity and access management product
line for continuously evolving 
computing environments, including legacy, Web, and service-oriented
architectures.  



* ISSUE 1 - SQL injection in /News/feature.cfm page

http://www.netegrity.com/News/feature.cfm?ArticleID=1,

ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax
near ','.
The error occurred while processing an element with a general identifier of
(CFQUERY), occupying document position (24:1) to (24:55).

* ISSUE 2 - SQL injection in /News/PressRelease.cfm page

http://www.netegrity.com/News/PressRelease.cfm?ArticleId=1,1&leveltwo=PressR
eleases

ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 6: Incorrect syntax
near ','.
The error occurred while processing an element with a general identifier of
(CFQUERY), occupying document position (24:1) to (24:55).

* ISSUE 3 - Path disclosure

http://www.netegrity.com/News/PressRelease_Archive.cfm?levelthree=2000&relea
se=nul

Cannot open CFML file
The requested file "C:\INETPUB\WWWROOT\2001\NEWS\ARCHIVE\DOM\2000\NUL.HTML"
cannot be found.
The specific sequence of files included or processed is:
C:\INETPUB\WWWROOT\2001\NEWS\PRESSRELEASE_ARCHIVE.CFM 
C:\INETPUB\WWWROOT\2001\NEWS\ARCHIVE\DOM\2000\NUL.HTML  CFInclude

The error occurred while processing an element with a general identifier of
(CFINCLUDE), occupying document position (44:2) to (44:32).
  







main page
ATTRITION
feedback