| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 7 Oct 2005 10:40:43 -0000 From: advisory@...da.ir To: bugtraq@...urityfocus.com Subject: Aenovo Multiple Vulnerabilities Aenovo Multiple Vulnerabilities [KAPDA::#3] - Aenovo - Multiple Vulnerabilities KAPDA New advisory Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions), AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions) Vendor: http://www.aenovo.co.uk/ Risk: High Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss) About Aenovo -------------------- aeNovo is a collection of sophisticated web pages that allows you to have a website that's as big and as elaborate as you make it. Once your aeNovo files are moved to your web space you can add, delete and amend pages, images and all manner of files all THROUGH THE BROWSER. Vendor`s description : http://www.aenovo.co.uk/introduction.asp Discussion : ---------------- Several scripts do not properly validate user-supplied input. A remote user can create specially crafted parameter values that will execute SQL commands on the underlying database.Also it is possible to Inject Html scripts in vulnerable page. One the most Important rules in Application security is confidentiality of stored passwords.To achive this goal Applications ( Including web apps) encrypt passwords and store crypted hashes.This application suffer from Clear Text Password Storage. As we know and tested all versions of Aenovo , Aenovoshop and aeNovoWYSI are vulnerable. Vulnerabilities: -------------------- [1] Sql injection in /password/default.asp (/user/control.asp) at parameter named 'password'.Attacker can enter Sql to login to system as low-level user. [2]Clear Password Storage at 'control','content' and 'pages' tables. [3]Sql injection in /search.asp (/incs/searchdisplay.asp) at parameter named 'strSQL'. [4]Xss can be found in most of active server pages which get and render user-supplied input. Proof of Concepts: -------------------- [1] <html> <h1>Aenovo Login-Bypass PoC - Kapda `s advisory </h1> <p> Discovery and exploit by farhadkey [at} kapda.ir</p> <p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute of Iran</a></p> <form method="POST" action="http://target/user/control.asp"> <input type="hidden" name="password" value="[SQL Injection]" > <input type="submit" value="Submit" name="B1"> <input type="hidden" name="test" value="1"> </form></html> [3] AeNovo :Lists username and password of administrators http://target/search.asp?strSQL=[SQL Injection] AeNovoShop:Lists username and password of administrators http://target/search.asp?strSQL=[SQL Injection] AeNovoWYSI:Lists username and password of administrators http://target/search.asp?strSQL=[SQL Injection] Solution: -------------------- No patch`s released yet by vendor. This advisory is reported to Vendor about one month ago. More Detail: -------------------- http://www.kapda.ir/advisory-78.html Visit above link for more details. Credit : -------------------- Farhad Koosha & Devil_box devil_box [at} kapda.ir farhadkey [at} kapda.ir Kapda - Security Science Researchers Insitute of Iran http://www.KAPDA.ir (PersianHacker.NET)
Powered by blists - more mailing lists