Aenovo Multiple Vulnerabilities

advisory_at_kapda.ir
Date: 10/07/05

  • Next message: Thierry Carrez: "[ GLSA 200510-07 ] RealPlayer, Helix Player: Format string vulnerability"
    Date: 7 Oct 2005 10:40:43 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) Aenovo Multiple Vulnerabilities

    [KAPDA::#3] - Aenovo - Multiple Vulnerabilities

    KAPDA New advisory

    Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions),

    AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions)

    Vendor: http://www.aenovo.co.uk/

    Risk: High

    Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss)

    About Aenovo
    --------------------
       aeNovo is a collection of sophisticated web pages

    that allows you to have a website that's as big and

    as elaborate as you make it. Once your aeNovo

    files are moved to your web space you can add, delete

    and amend pages, images and all manner of files

     all THROUGH THE BROWSER.

            Vendor`s description : http://www.aenovo.co.uk/introduction.asp

    Discussion :
    ----------------
      Several scripts do not properly validate user-supplied

    input. A remote user can create specially crafted

    parameter values that will execute SQL commands on the

    underlying database.Also it is possible to Inject Html scripts

    in vulnerable page.

      One the most Important rules in Application security is

    confidentiality of stored passwords.To achive this goal

    Applications ( Including web apps) encrypt passwords and

    store crypted hashes.This application suffer from Clear Text

    Password Storage.
     
       As we know and tested all versions of Aenovo , Aenovoshop

    and aeNovoWYSI are vulnerable.

    Vulnerabilities:
    --------------------

    [1] Sql injection in /password/default.asp (/user/control.asp)

    at parameter named 'password'.Attacker can enter Sql to login

    to system as low-level user.
            
    [2]Clear Password Storage at 'control','content' and 'pages' tables.

    [3]Sql injection in /search.asp (/incs/searchdisplay.asp)

    at parameter named 'strSQL'.

    [4]Xss can be found in most of active server pages

    which get and render user-supplied input.

    Proof of Concepts:
    --------------------

    [1]
    <html>
    <h1>Aenovo Login-Bypass PoC - Kapda `s advisory </h1>
    <p> Discovery and exploit by farhadkey [at} kapda.ir</p>
    <p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute
    of Iran</a></p>
    <form method="POST" action="http://target/user/control.asp">
    <input type="hidden" name="password" value="[SQL Injection]" >
    <input type="submit" value="Submit" name="B1">
    <input type="hidden" name="test" value="1">
    </form></html>

    [3]
    AeNovo :Lists username and password of administrators
    http://target/search.asp?strSQL=[SQL Injection]

    AeNovoShop:Lists username and password of administrators
    http://target/search.asp?strSQL=[SQL Injection]

    AeNovoWYSI:Lists username and password of administrators
    http://target/search.asp?strSQL=[SQL Injection]

    Solution:
    --------------------
    No patch`s released yet by vendor.
    This advisory is reported to Vendor about one month ago.

    More Detail:
    --------------------
    http://www.kapda.ir/advisory-78.html
    Visit above link for more details.

    Credit :
    --------------------
    Farhad Koosha & Devil_box
    devil_box [at} kapda.ir
    farhadkey [at} kapda.ir
    Kapda - Security Science Researchers Insitute of Iran
    http://www.KAPDA.ir
    (PersianHacker.NET)


  • Next message: Thierry Carrez: "[ GLSA 200510-07 ] RealPlayer, Helix Player: Format string vulnerability"

    Relevant Pages

    • [Full-Disclosure] Various Vulnerabilities in OWL Intranet Engine
      ... Cross Site Scripting Vulnerabilities ... In the script browser various parameters, that are used to write the ... SQL Injection Vulnerabilities ... The information in this advisory and any of its demonstrations is ...
      (Full-Disclosure)
    • Various Vulnerabilities in OWL Intranet Engine
      ... Cross Site Scripting Vulnerabilities ... In the script browser various parameters, that are used to write the ... SQL Injection Vulnerabilities ... The information in this advisory and any of its demonstrations is ...
      (Bugtraq)
    • Various Vulnerabilities in OWL Intranet Engine
      ... Cross Site Scripting Vulnerabilities ... In the script browser various parameters, that are used to write the ... SQL Injection Vulnerabilities ... The information in this advisory and any of its demonstrations is ...
      (Full-Disclosure)