[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051007104043.22978.qmail@securityfocus.com>
Date: 7 Oct 2005 10:40:43 -0000
From: advisory@...da.ir
To: bugtraq@...urityfocus.com
Subject: Aenovo Multiple Vulnerabilities
Aenovo Multiple Vulnerabilities
[KAPDA::#3] - Aenovo - Multiple Vulnerabilities
KAPDA New advisory
Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions),
AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions)
Vendor: http://www.aenovo.co.uk/
Risk: High
Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss)
About Aenovo
--------------------
aeNovo is a collection of sophisticated web pages
that allows you to have a website that's as big and
as elaborate as you make it. Once your aeNovo
files are moved to your web space you can add, delete
and amend pages, images and all manner of files
all THROUGH THE BROWSER.
Vendor`s description : http://www.aenovo.co.uk/introduction.asp
Discussion :
----------------
Several scripts do not properly validate user-supplied
input. A remote user can create specially crafted
parameter values that will execute SQL commands on the
underlying database.Also it is possible to Inject Html scripts
in vulnerable page.
One the most Important rules in Application security is
confidentiality of stored passwords.To achive this goal
Applications ( Including web apps) encrypt passwords and
store crypted hashes.This application suffer from Clear Text
Password Storage.
As we know and tested all versions of Aenovo , Aenovoshop
and aeNovoWYSI are vulnerable.
Vulnerabilities:
--------------------
[1] Sql injection in /password/default.asp (/user/control.asp)
at parameter named 'password'.Attacker can enter Sql to login
to system as low-level user.
[2]Clear Password Storage at 'control','content' and 'pages' tables.
[3]Sql injection in /search.asp (/incs/searchdisplay.asp)
at parameter named 'strSQL'.
[4]Xss can be found in most of active server pages
which get and render user-supplied input.
Proof of Concepts:
--------------------
[1]
<html>
<h1>Aenovo Login-Bypass PoC - Kapda `s advisory </h1>
<p> Discovery and exploit by farhadkey [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute
of Iran</a></p>
<form method="POST" action="http://target/user/control.asp">
<input type="hidden" name="password" value="[SQL Injection]" >
<input type="submit" value="Submit" name="B1">
<input type="hidden" name="test" value="1">
</form></html>
[3]
AeNovo :Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]
AeNovoShop:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]
AeNovoWYSI:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]
Solution:
--------------------
No patch`s released yet by vendor.
This advisory is reported to Vendor about one month ago.
More Detail:
--------------------
http://www.kapda.ir/advisory-78.html
Visit above link for more details.
Credit :
--------------------
Farhad Koosha & Devil_box
devil_box [at} kapda.ir
farhadkey [at} kapda.ir
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)
Powered by blists - more mailing lists