AdMentor Login Flaw
From: Frank (thran60@hotmail.com)Date: 02/21/02
- Previous message: Gary McGraw: "RE: ITS4 from Cigital flawed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Feb 2002 10:25:54 -0000 From: Frank <thran60@hotmail.com> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Regarding : AdMentor v2.11 and earlier
Homepage: http://www.aspcode.net
AdMentor allows any user to login as admin.
The base path of the login is usually :
http://www.someserver.com/admentor/admin/admin.a
sp
By using Login : ' or ''=' , and Password : ' or ''='
We create a legal query because it will get appended
as :SELECT row FROM table WHERE login = '' or
''=''
Same goes for the password. This allows us to login
without any trouble as the main admin. Vendor has
been warned of the bug, but has not released a patch
yet. Temporary solution, filter out the bad chars ' " ~ \
/ by using the following piece of javascript :
function RemoveBad(strTemp) {
strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|
\-/g,"");
return strTemp; }
And calling it from within the asp script :
var login = var TempStr = RemoveBad
(Request.QueryString("login"));
var password = var TempStr = RemoveBad
(Request.QueryString("password"));
Iam not sure about the correct vars set in the form,
you might want to tweak it just a bit. Havent drunk my
coffee yet :)
Credits:
Bug found by thran, thran60@hotmail.com
- Previous message: Gary McGraw: "RE: ITS4 from Cigital flawed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
