|
------------------------------------------------------------------=0D
- CANews Remote Multiple Vulnerability -=0D
-= http://colander.altervista.org/advisory/CANews.txt =-=0D
------------------------------------------------------------------=0D
=0D
-= CodeAvalanche News Version 1.2 =-=0D
=0D
=0D
=0D
Omnipresent=0D
May 18, 2006=0D
=0D
=0D
Vunerability(s):=0D
----------------=0D
SQL Injection=0D
XSS Attack=0D
=0D
=0D
Product:=0D
--------=0D
CodeAvalanche News Version 1.2=0D
=0D
Vendor:=0D
--------=0D
http://www.truecontent.info/codeavalanche/asp-news-publishing-script.php=0D
=0D
=0D
Description of product:=0D
-----------------------=0D
=0D
CodeAvalanche News is asp application which allows webmasters to easy add news page to their website.=0D
=0D
Resource Specification=0D
Platform(s): windows=0D
Date Added: Mar 8, 2005=0D
Last Updated: May 5, 2006=0D
Author: xfairguy=0D
=0D
=0D
Vulnerability / Exploit:=0D
------------------------=0D
=0D
In [path_of_appl.]\admin directory, there is the file default.asp and it contain a vulnerable code; because the variable =0D
Password is not properly sanitized. =0D
A malicious people can Inject SQL code by Password variable.=0D
=0D
Let's look the source code, to understand the problem:=0D
=0D
[default.asp]=0D
=0D
[...]=0D
=0D
=0D
=0D
userLogged=false=0D
If Request("Password")<>"" Then =0D
'response.Write(Request("Password")) =0D
'response.flush=0D
=0D
dim rsUser,selectSQL=0D
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"=0D
a' OR 'a' = 'a=0D
'response.Write(selectSQL) =0D
=0D
set rsUser = Server.CreateObject("ADODB.Recordset")=0D
rsUser.ActiveConnection =connStr=0D
rsUser.Source = selectSQL=0D
rsUser.CursorType = 3=0D
rsUser.CursorLocation = 2=0D
rsUser.LockType = 3=0D
rsUser.Open()=0D
=0D
=0D
=0D
=0D
[...]=0D
=0D
[End default.asp]=0D
=0D
As you can see the problem is in the string selectSQL. The input passed by the variable Password is not properly sanitized so=0D
an attacker can Inject arbitrary SQL code. Look this example:=0D
=0D
If the variable Password is : 1' OR '1' = '1=0D
=0D
The selectSQL string looks like:=0D
=0D
selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'=0D
=0D
And you can gain access to the application with admin rights.=0D
=0D
=0D
- XSS Attack Explaination - =0D
=0D
There is also an XSS bug in this application.=0D
If you put in add_news.asp in the field Headline a script like:=0D
=0D
=0D
=0D
You can see the alert message "XSS Attack"=0D
=0D
=0D
=0D
PoC / Proof of Concept of SQL Injection:=0D
----------------------------------------=0D
=0D
An attacker can go to this URL:=0D
=0D
http://127.0.0.1/[path_of_application]/CANews/Admin/default.asp?password=1' OR '1' = '1&Submit=Login=0D
=0D
=0D
Vendor Status=0D
-------------=0D
=0D
Not informed!=0D
=0D
Credits:=0D
--------=0D
omnipresent=0D
omnipresent@email.it