COMMAND

    NCM

SYSTEMS AFFECTED

    NCM.at - Content Management System

PROBLEM

    Roland  Aigner  found  following.   With  specific  malformed http
    requests, a  direct access  to the  content database  is possible.
    With an additional character not recognized by the database server
    in use in a request variable the complete SQL error is shown in  a
    window:

        http://www.TARGET.com/content.pl?group=49&id=140a

    Playing this game further,  its possible to exploit  this database
    like following:

        http://www.TARGET.com/content.pl?group=49&id=140%20or%20id>0%20or%20ls_id<1000%20or%20kategorie<10000%20or%20kategorie>10%20or%20ls_id>1%20or%20id<10%20or%20kategorie<10%20or%20kategorie>4&shortdetail=1

    This uses  the displayed  (in the  errorbox that  we get  from the
    first url) databaseinformation to obtain all records.

    With a correct SQL  server (like MS -  SQL) it should be  possible
    (but untested) to use a nested sql-query to even drop the database
    (or the content table).

    It looks  like the  "=" character  is already  filtered out, so we
    had to use a > or < to get the entries.

SOLUTION

    Filter  out  all  comparison  characters  and to supress SQL error
    displays  in  actual  production  websites.   Answer  from them on
    2001/04/11:  bugs   fixed,  customers   should  get   new  version
    immediatly.