=======================================================================
= CodeScan Advisory, codescan.com
= Insufficient User Input Validation in VP-ASP 6.50 Demo Code
= Vendor Website:
= http://www.vpasp.com/
= Affected Version:
= VP-ASP Shopping Cart 6.50 Demo Code And Earlier
= Researched By
= CodeScan Labs
= Public disclosure on January 21st, 2010
=======================================================================
== Overview =
CodeScan Labs (http://www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.
During the ongoing testing of CodeScan ASP, VP-ASP was selected as one of
the test applications. We downloaded a demo of VP-ASP from the VP-ASP
website http://www.vpasp.com/virtprog/paypal.htm.
This advisory is the result of research into the security of VP-ASP,
based on the report generated by the CodeScan tool.
== Vulnerability Details =
* SQL Injection *
An SQL Injection vulnerability is caused by assigning a variable from client
data, for example in file shopsessionsubs.asp in Function Getwebsess:
userid=cleanchars(request("websess"))
and:
userid = Request.Cookies(cookiename)
In Sub ResponseCookies variable userid is assigned to variable websess by a
call to Getwebsess and variable websess is concatenated with other data to
construct an SQL statement:
cookiesql="Select * from sitesessions where sessionkey='" & websess & "'"
This SQL statement is used in a call to ADODB.Connection.Execute:
set cookiers=cookiedbc.execute(cookiesql)
The function cleanchars makes a security check on the input, but this check is
based on a blacklist of bad characters that could be used in SQL statements;
it is better to use a whitelist of allowed characters, as it is easy to
overlook possible bad characters.
* Cross Site Scripting and Arbitrary File Access *
Cross Site Scripting and Arbitrary File Access vulnerabilities are caused by
assigning a variable from client data in file shopsessionsubs.asp, in
Sub CookielessGenerateFilename:
ipaddress = Request.Servervariables("REMOTE_HOST")
Variable ipaddress is concatenated with other data in
Sub CookielessGenerateFilename to construct a variable filename:
tempname=prefix & "_" & mm & dd & yy & "_" & Ipaddress
tempname=tempname & ".txt"
tempname=xsavesessionfilefolder & "\" & tempname
filename=tempname
Variable filename is used in calls to Scripting.FileSystemObject.OpenTextFile
and Response.Write in Sub CookielessReadFile:
Set Myfile = fso.OpenTextFile(filename, 1, false)
and:
response.write "" & "unable to open file" & filename & "
" & err.description & ""
These vulnerabilities do not depend on direct user input, but a hacker could
tamper with the REMOTE_HOST server variable or with cookies to supply malicious
input.
== Credit =
Discovered and advised to the vendor by CodeScan Labs
== About CodeScan Labs Ltd =
CodeScan Labs is a specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP, ASP.NET C#
and PHP
CodeScan Labs operates with Responsible Disclosure where appropriate. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor. Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor may not be made publicly available.
-- =0D
This message has been scanned for viruses and=0D
dangerous content by Bizo EmailFilter, and is=0D
believed to be clean.=0D