[VIM] [OSVDB Mods] [Change Request] 22066: SpireMedia CMS index.cfm cid Variable SQL Injection

Wed Jan 18 00:26:23 EST 2006

Hi Thaddeus,

: http://www.osvdb.org/22066
: 
: You have published a security related issue regarding our software:  
: "SpireMedia CMS is prone to an SQL injection vulnerability. This issue 
: is due to a failure in the application to properly sanitize 
: user-supplied input before using it in an SQL query. "
: 
: This information is incorrect, unproven, and potentially slanderous.  

Actually, the information a) isn't slanderous, and b) isn't libelous (the 
correct term, since this is all in 'writing'). Slander and libel are 
heavily based on the intent of what is said or written, and we clearly had 
no intent to harm your company in any way. OSVDB simply collects and 
organizes public vulnerability information made public in other sources. 
The original disclosure point was the blog entry [1], which has a comment 
challenging the information (presumably posted by you, 'twb').

Now, you say the vulnerability is 'incorrect' and 'unproven'. While 
browsing your website, I accidentally hit the single quote character on my 
URL thingy, and got all kinds of odd error output. It just so happens that 
the output I see, doesn't quite match the "Oops!" message you refer to. 
Here is what I see:

http://www.spiremedia.com/spiremedia2k5/index.cfm?cid='

 Invalid data ' for CFSQLTYPE CF_SQL_INTEGER.

The error occurred in /u05/dev_projects_2002/com/spiremedia/2k5/page.cfc: 
line 51

49 : 				<cfprocparam type = "in" CFSQLType = 
"CF_SQL_INTEGER" dbVarName = "@cid" value = "#this.cid#">
50 : 				<cfprocparam type = "in" CFSQLType = 
"CF_SQL_TINYINT" dbVarName = "@siteid" value = "#arguments.siteid#">
51 : 				<cfprocresult name = "qryPage">
52 : 			</cfstoredproc>
53 : 			

Please try the following:

    * Check the ColdFusion documentation to verify that you are using the 
correct syntax.
    * Search the Knowledge Base to find a solution to your problem.

Browser   	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) 
Gecko/20050915 Firefox/1.0.7 (ax)
Remote Address   	216.38.219.236
Referrer   	
Date/Time   	17-Jan-06 10:06 PM
Stack Trace
at cfpage2ecfc4992745$funcLOAD.runFunction(/u05/dev_projects_2002/com/spiremedia/2k5/page.cfc:51) 
at cfApplication2ecfc1299132579$funcONREQUESTSTART.runFunction(/u05/dev_projects_2002/spiremedia2k5/Application.cfc:167)

coldfusion.sql.Parameter$DataTypeMismatchException: Invalid data ' for 
CFSQLTYPE CF_SQL_INTEGER.
	at coldfusion.sql.Parameter.getMappingValue(Parameter.java:86)
	at coldfusion.sql.Parameter.getMappingValues(Parameter.java:38)
	at coldfusion.sql.InParameter.setStatement(InParameter.java:33)
	at coldfusion.sql.ParameterList.setStatement(ParameterList.java:107)
	at coldfusion.sql.Executive.executeCall(Executive.java:561)
	at coldfusion.sql.Executive.executeCall(Executive.java:517)
	at coldfusion.sql.Executive.executeCall(Executive.java:477)
	at coldfusion.sql.SqlImpl.executeCall(SqlImpl.java:320)
	at coldfusion.tagext.sql.StoredProcTag.doEndTag(StoredProcTag.java:193)
	at cfpage2ecfc4992745$funcLOAD.runFunction(/u05/dev_projects_2002/com/spiremedia/2k5/page.cfc:51)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:348)
	at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:258)
	at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:56)
	at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:211)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:173)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:192)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:145)
	at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:1627)
	at cfApplication2ecfc1299132579$funcONREQUESTSTART.runFunction(/u05/dev_projects_2002/spiremedia2k5/Application.cfc:167)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:348)
	at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47)
	at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:294)
	at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:258)
	at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:56)
	at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:211)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:173)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:192)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:145)
	at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:55)
	at coldfusion.runtime.AppEventInvoker.onRequestStart(AppEventInvoker.java:97)
	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:195)
	at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:50)
	at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52)
	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
	at coldfusion.CfmServlet.service(CfmServlet.java:105)
	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78)
	at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
	at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
	at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257)
	at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:527)
	at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204)
	at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:349)
	at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:457)
	at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:295)
	at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

I'm not a security expert, but that output tells me two things. First, it 
is very likely it is vulnerable to SQL injection attacks based on seeing 
other examples and vulnerable applications. Second, a failed SQL query 
will disclose the full installation path of the software, which is a 
seperate vulnerability.

: Please either validate or remove this information from your site immediately.

At this point, I personally consider this validated.

Brian
OSVDB.org

[1] http://pridels.blogspot.com/2005/12/spiremedia-cms-sql-inj-vuln.html