BroadVision command Injection

From: stephen (stephen@dcode.net)
Date: Tue Aug 20 2002 - 12:50:28 EDT


I've come across a web application using BroadVision, that's vulnerable to
script injection. Trouble is, is that BV doesn't use straight SQL, but
rather some sort of server-side Javascript (seriously). The command in
the page, looks like this:
Session.serviceOfflineCM.contentByCondition( OWNER_ID = 99999993333 AND
DELETED = 0 AND UPPER(LIST_VALUE) LIKE UPPER('%hello'%') ,US
,'SOME_THING' ,null )

I injected hello' into the vulnerable field. Any ideas on how to actually
run any code on the server ? The usual comment characters don't seem to
work (#,;;,//,<--,--).
The web is full of marketing information about BV, but very sparse on
technical/programmatical info, any links to usefull tech info will be
appreciated.

cheers,
Stephen

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT