SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Calendar)  >   aspWebCalendar Vendors:   Full Revolution
aspWebCalendar Input Validation Holes Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1011410
SecurityTracker URL:  http://securitytracker.com/id/1011410
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 25 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in aspWebCalendar. A remote user can inject SQL commands.

Pedro Sanches reported that a remote user can insert specially crafted data via the '/calendar.asp?action=login' page to execute SQL commands on the target system.

A demonstration exploit value for the 'username' field to cause the system to disclose the administrative password is provided:

" ' union select Cal_User_Password,1,1,1,1,1,1,1,1,1 from Cal_User where Cal_User_UserName = 'admin'-- "

The 'eventid' field in '/calendar.asp?action=eventdetail&eventid=' is also affected.

The vendor was notified on September 15, 2004, without response.
Impact:   A remote user can inject SQL commands to view the contents of the database, including authentication information.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.fullrevolution.com/calendar_overview.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  23 Sep 2004 18:27:02 -0000
Subject:  aspWebCalendar /aspWebAlbum: SQL injection




[1]Introduction

"aspWebCalendar is an .asp (Active Server Pages) script that allows you to easily create an online events calendar that supports multiple
 users. Easy installation and usage are the key features of aspWebCalendar. The script contains a text file with a few configuration
 variables that are used by the script... Just change one of these variables, upload the files and you are up and running."

"aspWebAlbum is an .asp (Active Server Pages) script that allows you to easily create an online photo album or gallery simply by uploading
 images to your server... the script will do the rest. Easy installation and usage are the key features of aspWebAlbum. The script
 contains a text file with several configuration variables that are used by the script... just change two of these and you are up
 and running. To add images simply upload them to your server, its that simple."

This information was taken from http://www.jancw.dk/ but the vendor of this software is Full Revolution and the website can be found
 at www.fullrevolution.com


[2]The Problem

These two can run on SQL or Access databases, both coming right from the box, and those who use the default sql file are vulnerable
 to injection, alowing, f.e., an attacker to view the table contents by reading the asp error messages. 

(1) For the aspWebCalendar, in the login pages: 

"www.example.com/album.asp?action=login"

you can put this in the username field (leaving the password blank) to extract the password for the 'admin' user, if it exists:

"  ' union select Cal_User_Password,1,1,1,1,1,1,1,1,1 from Cal_User where Cal_User_UserName = 'admin'--  "

 
  (1.1) the 'eventid' field is vulnerable to sql injection too:
	"www.example.com/calendar.asp?action=eventdetail&eventid='"



(2) For the aspWebAlbum, the login pages can be found at "www.example.com/calendar.asp?action=login" and the problem is the same (i'll
 use the same example as above) :

	"' union select Gal_UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Gal_Users where Gal_UserUserName = 'admin' --"

	
	(2.2) The 'cat' field is also a problem in this example:
	     "www.example.com/album.asp?cat='"


At the moment all the SQL versions of this software seem to be affected.


[3]Timeline

(28/8/2004) vuln discovered
(29/8/2004) short note posted at johnny.ihackstuff.com forums
(15/9/2004) vendor notified, still no reply


[4]Feedback

cybercide@megamail.pt

(This is my first vulnerability disclosure so if there's a mistake here don't hurt me too much :-) )


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC