##########################www.BugReport.ir########################################
#
# AmnPardaz Security Research Team
#
# Title:=09=09Blaze Apps Multiple Vulnerabilities
# Vendor:=09=09http://blazeapps.codeplex.com
# Vulnerable Version:=091.4.0.051909 (and prior versions)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
###################################################################################
####################
- Description:
####################
Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and
C# as backend languages
and uses Microsoft SQL Server as its DBMS.
####################
- Vulnerability:
####################
+--> MS SQL Server 2005 SQL Injection
+--/-- 1>
=09There is an SQL Injection vulenarability in the site search module.
=09The code can be find in "/BlazeApps/Usercontrols/Search.ascx" file.
=09Submitting search criteria will cause subroutine "uxSubmitButton_Click"
=09in the file "/BlazeApps/Usercontrols/Search.ascx.vb" to be executed.
=09Then it will use "uxSearchTextBox" input element value (POST Variable) and
=09the "tagname" input value (POST Variable) without escaping, in a query.
=09The exact place of injection bug is at lines 67 and 69.
=09NOTE: In query creating phase, all security notes are maintained. In the file
=09"/BlazeApps.Library/Search/PageSearch.cs" at lines 20 and 30 the
=09query parameters are all escaped in a prepared sql statement.
=09But (only) in the search module, the where clause is created manually before
=09reaching the DB utility code!!!
+--/-- 2>
=09In the "/BlazeApps/App_Code/BlazeKBSVC.vb" file at lines 19 and 37
=09the "SearchString" function parameter is not escaped before using in
the query.
=09Again the bug is (only) from the high level logic code and the
underlying db utility
=09escape everything correctly.
+--> Stored XSS Vulnerablity
=09The post page of the site's forum save posts without any check on the input.
=09In file "/BlazeApps/Usercontrols/Forum/addpost.ascx.vb" line 121
=09the "uxAddPostTextbox" input value is not sanitiezd.
####################
- Exploits/PoCs:
####################
+--> Exploiting SQL Injection Vulnerablites:
=09You can use "aa' OR **** OR 'a'='1" injection vector for exploiting
above bugs (replacing
=09the **** with a desired query). For exp. "aa' OR 1=1 OR '1'='1" will
show everything
=09in the search response page.
=09This vulenarability can be used for extracting admin password by
Blind SQL Injection.
=09Using "aa' OR @Condition OR 'a'='1" as the injection vector, the
result page for the search
=09will be empty if @Condition be false and will show all links if
@Condition be true.
=09So we can replace @Condition with a query like
=09 EXISTS (SELECT * FROM blazedb.dbo.aspnet_Membership WHERE
(LEN(Password) < 32) AND UserId=??)
=09and then brout force on the length and then on each character of the
password (Of course
=09we need first extract the user id from username by another query like
above and then fill ?? with
=09the user id of the admin which is the same process).
+--> Exploiting The Stored XSS Vulnerablity:
=09It can be exploited by posting a vector like "" to the forum.
=09(see "/BlazeApps/Usercontrols/Forum/addpost.ascx.vb")
####################
- Solution:
####################
Edit the source code to ensure that inputs are properly sanitized for
SQL injection.
For the XSS you should whitelist the input messages.
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_66.htm
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com