[Full-disclosure] Craft Silicon Banking at Home SQL Injection
Francesco Bianchino
f.bianchino at gmail.com
Tue Feb 10 19:54:56 GMT 2009
Craft Silicon Banking at Home SQL Injection
***********************************************************************
Author: Francesco Bianchino
Email: f.bianchino [at] gmail.com
Title: Craft Silicon Banking at Home SQL Injection
Product: Banking at Home - Net Banking
Versions Vulnerable: 2.1 and below
Vendor: Craft Silicon (www.craftsilicon.com)
***********************************************************************
Summary
Banking at Home is an home banking application that allows customers to access
their account information using the web.
The application uses data in a database management system that uses Structured
Query Language (SQL) as a data access standard.
**********************************************************************
Vulnerability Details
The login page of Net Banking is vulnerable to SQL Injection attack,
due to a missing input validation mechanisms.
An attacker can inject SQL code into the username and password fields,
altering the login procedure.
There is a classic error based injection, really easy to exploit to
take control
of the entire server.
Authentication bypass is possible using valid username, no password is
required,
or otherwise the user table can be arbitrary modified.
***********************************************************************
Exploit
http://www.example.com/document_root/Login.asp?LoginName='Some_SQL_Stuff&Password=&submit=Login
***********************************************************************
Solution
At the moment of writing this advisory there is no solution yet.
I advised Craft Silicon in November 2008 and i actually have received no answer.
***********************************************************************
Credits
Discovered by Francesco Bianchino.
Full-Disclosure is hosted and sponsored by Secunia.