Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection
SecurityAlert : 3421 CVE : CVE-2007-6271 SecurityRisk : High (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : Adrian Pastor, Jan Fry and Richard Brain Published : 07.12.2007
Affected Software :
Absolute News Manager.NET 5.1
Advisory Text :
PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1
including file retrieval and SQL injection
Vulnerabilities found: 16 November 2007
Vendor informed: 19 November 2007
Vulnerability fixed: 28 November 2007
Severity: High
Description:
Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:
- unauthenticated file retrieval (directory traversal) on
'/pages/default.aspx'
- unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly
'/pages/default.aspx'
- XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'
- webroot disclosure on 'getpath.aspx'
File retrieval PoC:
The following URL shows the contents of .NET 'web.config' (contains DB
credentials):
Contents of any files on the web server can be obtained. Unauthorized SQL
queries can be injected. Scripting code can be run within the security
context of the target domain. Information about the target environment can
be extracted.
Note: ProCheckUp has NOT tested the patch provided by Xigla Software.
References:
http://www.procheckup.com/Vulnerability_2007.php
http://www.xigla.com/absolutenmnet/
Credits: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd
(www.procheckup.com)
ProCheckUp thanks Xigla Software for working with us.
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Maksymilian Arciemowicz discovered a Integer Overflow
vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.