lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 2 Apr 2009 23:18:46 +1100
From: Patrick Webster <patrick@...hack.com>
To: bugtraq@...urityfocus.com
Subject: Asbru Web Content Management Vulnerabilities

aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
 02-Apr-2009

Software:
 Asbru Software - Asbru Web Content Management
 http://www.asbrusoft.com/

 "Ready to use, full-featured, database-driven web content management system
  (CMS) with integrated community, databases, e-commerce and statistics modules
  for creating, publishing and managing rich and user-friendly
Internet, Extranet
  and Intranet websites."

Versions tested:
 6.5 and 6.6.9 have been confirmed as vulnerable in the ASP release.
 Other versions are untested. The vendor reports JSP, PHP, ASPX immune.

Vulnerability discovered:

 SQL Injection & XSS

Vulnerability impact:

 High - SQL Injection in backend database. Impact depends on the
 	   security and configuration of the database. It may be possible
	   to execute code using functons such as xp_cmdshell in poorly
	   configured hosts. Other attacks possible include obtaining the
	   CMS admin username and password from the database and
	   subsequently uploading code or modifying the page content.

Vulnerability information:

 The 'id' GET parameter of 'page.asp', 'stylesheet.asp' and 'file.asp' is
 vulnerable to numeric based blind SQL injection.

 Example:

  http://[victim]/page.asp?id=1 	<-- main page
  http://[victim]/page.asp?id=1 AND 1=2 <-- returns blank (false)
  http://[victim]/page.asp?id=1 AND 1=1 <-- main page (true)

  XSS in the 'url' parameter of 'login.asp':

  Example:

  http://[victim]/webadmin/login.asp?url="><script>alert(document.cookie)</script>

References:
 aushack.com advisory
 http://www.aushack.com/200904-asbru.txt

Credit:
 Patrick Webster ( patrick@...hack.com )

Disclosure timeline:
 28-Oct-2008 - Discovered during audit.
 27-Nov-2008 - Notified vendor.
 28-Nov-2008 - Vendor releases patch.
 02-Apr-2009 - Disclosure.

EOF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ