| vuln.sg Vulnerability Research Advisory |
by Tan Chew Keong 
Summary
A vulnerability has been found in Cool Messenger Office/School Server. When exploited, the vulnerability allows any people to logon to the messenger server as any user without requiring knowledge of any passwords.
Tested Versions
Japanese Version:
Details
This advisory discloses an SQL injection vulnerability in Cool Messenger Office/School Server. The vulnerability exists when Cool_CoolD.exe is handling a user logon authentication request. It is possible to exploit the vulnerability to logon as any user to the messenger server without requiring knowledge of a password. The vulnerability exists because Cool_CoolD.exe does not sanitise the username received from a Cool Messenger client before using it in an SQL query. The username received from a Cool Messenger client is used to construct the following query.
CString::Format("SELECT K_MEMBERID,PASSWD FROM CD_MEMBER WHERE MEMBERID='%s';", username);
Since username is not sanitised, it is possible to manipulate the query to allow logon to the messenger server without knowing any passwords. For example, by submitting a specially-crafted username via the Cool Messenger client:
When such an attack has occurred, the following entry will be observed in the Cool_CoolD_Log log file. [15:40:04:406] (1184) [INFO] User "xx' union ...."[2] logged-in, from 192.168.1.108
Patch / Workaround
According to the vendor, the vulnerability has been fixed in the following versions.
Japanese Version:
Korean Version:
Disclosure Timeline
2006-07-15 - Vulnerability Discovered. |
| Contact |
| For further enquries, comments, suggestions or bug reports, simply email them to |