lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051007104043.22978.qmail@securityfocus.com>
Date: 7 Oct 2005 10:40:43 -0000
From: advisory@...da.ir
To: bugtraq@...urityfocus.com
Subject: Aenovo Multiple Vulnerabilities


Aenovo Multiple Vulnerabilities

[KAPDA::#3] - Aenovo - Multiple Vulnerabilities

KAPDA New advisory

Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions),

AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions) 

Vendor: http://www.aenovo.co.uk/

Risk: High

Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss)

About Aenovo
--------------------
   aeNovo is a collection of sophisticated web pages 

that allows you to have a website that's as big and

as elaborate as you make it. Once your aeNovo 

files are moved to your web space you can add, delete

and amend pages, images and all manner of files

 all THROUGH THE BROWSER.

	Vendor`s description : http://www.aenovo.co.uk/introduction.asp

Discussion :
----------------
  Several scripts do not properly validate user-supplied

input. A remote user can create specially crafted

parameter values that will execute SQL commands on the

underlying database.Also it is possible to Inject Html scripts

in vulnerable page.

  One the most Important rules in Application security is 

confidentiality  of stored passwords.To achive this goal 

Applications ( Including web apps) encrypt passwords and

store crypted hashes.This application suffer from Clear Text

Password Storage.
 
   As we know and tested all versions of Aenovo , Aenovoshop   

and aeNovoWYSI are vulnerable.


Vulnerabilities:
--------------------

[1] Sql injection in   /password/default.asp  (/user/control.asp) 

at parameter named 'password'.Attacker can enter Sql to login

to system as low-level user.
	
[2]Clear Password Storage at 'control','content' and 'pages' tables.

[3]Sql injection in /search.asp (/incs/searchdisplay.asp)

at parameter named 'strSQL'.

[4]Xss can be found in most of active server pages 

which get and render user-supplied input.

Proof of Concepts:
--------------------

[1]
<html>
<h1>Aenovo Login-Bypass PoC -  Kapda `s advisory </h1>
<p>	Discovery and exploit by farhadkey [at}  kapda.ir</p>
<p><a href="http://www.kapda.ir/">	Kapda - Security Science Researchers Institute 
of Iran</a></p>
<form method="POST" action="http://target/user/control.asp">
<input type="hidden" name="password" value="[SQL Injection]" >
<input type="submit" value="Submit" name="B1">
<input type="hidden" name="test" value="1">
</form></html>

[3] 
AeNovo :Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]

AeNovoShop:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]


AeNovoWYSI:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]

Solution:
--------------------
No patch`s released yet by vendor.
This advisory is reported to Vendor about one month ago.

More Detail:
--------------------
http://www.kapda.ir/advisory-78.html
Visit above link for more details.

Credit :
--------------------
Farhad Koosha & Devil_box 
devil_box [at}  kapda.ir
farhadkey [at}  kapda.ir
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ