SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ProjectApp Vendors:   Iatek
ProjectApp Authentication Flaw Lets Remote Users Gain Administrative Access
SecurityTracker Alert ID:  1008513
SecurityTracker URL:  http://securitytracker.com/id/1008513
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 19 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in ProjectApp. A remote user can gain administrative access to the application. A remote authenticated user can reset passwords and user information for arbitrary accounts. A remote user can also conduct cross-site scripting attacks.

JeiAr and parag0d of the GulfTech Security Research Team reported multiple flaws affecting ProjectApp, as well as IntranetApp and PortalApp.

It is reported that a remote user can select an arbitrary user permission level when registering a new user account by manipulating the 'accesslevel' hidden HTML form field. A remote user can gain 'Super Admin' access (i.e., level 4).

It is also reported that a remote authenticated user can reset the password for an arbitrary user account by manipulating the 'user_id' hidden HTML form field when editing their own account. A remote authenticated user can also edit a target user's profile via this method.

It is also reported that that software does not filter HTML code from the user-supplied 'msg' variable and from various fields in various scripts. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. A remote user can also submit specially crafted text so that when a target user views certain pages on the application, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the PortalApp software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is provided:

default.asp?msg=%3Ciframe%3E

Affected variables include the Title and message form fields in 'forums.asp', links in 'submit.asp', and the First Name, Last Name, and Country fields in 'upd_user.asp'.

It is also reported that the software stores an authenticated user's password in a cookie in plaintext. An authenticated administrator can view a target user's password via the user administration page by examining the HTML source for a particular user.

A demonstration exploit is available at:

http://www.gulftech.org/vuln/aspapp.html

Impact:   A remote user can gain administrative access to the application.

A remote authenticated user can reset passwords and user information for arbitrary accounts.

A remote authenticated administrator can view a target user's password.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ProjectApp software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry. The report indicates that the vendor plans to issue a fix at the end of December 2003.
Vendor URL:  www.aspapp.com/apps/products.asp?catid=66&prodid=projectapp (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities In ASPapp Products




Vendor  : ASPapp.com
URL     : http://www.aspapp.com
Version : PortalApp - IntranetApp - ProjectApp
Risk    : Multiple Vulnerabilities



Description:
A complete, easy-to-modify .asp portal system. With this portal you can manage 
users, content, links, files, forums, surveys, product catalog, shopping cart, 
PayPal or Authorize.net e-commerce, classifieds, calendar, downloads, images, 
surveys, faq's, news, and more. Currently it is one of the most popular .ASP
scripts at HotScripts.com The below vulnerabilities also affect IntranetApp
and ProjectApp, as the codebase is almost identical.



Privilege Escalation Vulnerability:
When registering account a malicious user can set themselves to any user level
they desire. The user level is determined by a hidden form field value titled 
"accesslevel". If a user sets themselves to the "Super Admin" level [4] they can
pretty much take over the entire portal. They can also view other user's passes
in plaintext via the "User Admin" feature by viewing the HTML source. This does 
not seem to be present in IntranetApp, but is present in PortalApp and ProjectApp.



Account Hijacking Vulnerability:
Once again ASP App software relies on hidden form fields to determine user values.
By changing the "user_id" field when editing their profile a malicious user can reset 
passwords for arbitrary accounts and edit their user info etc. This is present in 
all three applications.



Cross Site Scripting Vulnerabilities:
XSS is possible on any page of an ASP APP Portal by appending the variable "msg"
with a value of any script you would like to be run. For example the following.
default.asp?msg=%3Ciframe%3E this vulnerability also exists in all 3 applications.
 


Code Injection Vulnerabilities:
There are a number of places to inject code and have it run by a user or an admin.
These include but are not limited to the following.
Injection vulnerabilities exist in forums.asp.  When posting a new message, script 
can be injected into the Title and into the message form fields.  This is especially 
dangerous because the latest messages are posted on the main page of the website, 
therefore affecting all users.
An Injection vulnerability exists in submit.asp.  A malicious user can submit script 
instead of a link to be added to the website.  This vuln affects the administrator when 
he prepares to accept or deny submissions.
Injection vulnerabilities are present in the profile section of the website.  By 
submitting script into the for fields of upd_user.asp (the profile update form) it will 
be run whenever someone views the affected profile.(user_public.asp)  The form fields 
that are vulnerable are First Name, Last Name and Country. This vuln exists in all three
of the previously mentioned ASP APP scripts.



Plaintext Password Storage Weakness:
The username and password for the logged in user are stored as plaintext in the cookie,
making cookie theft through an xss vuln even more dangerous. Also, a malicious admin
can view a users password in plaintext by visiting the user administration page, and
viewing the HTML source of a user. The users password will then be presented in plaintext.
This vuln exists in all three of the previously mentioned ASP APP scripts.



Solution:
The vendor plans on releasing a new version of these products at the end of the month to
supposedly correct all of the security issues mentioned above.



Proof Of Concept Exploit:
http://www.gulftech.org/vuln/aspapp.html



Credits:
Credits go to JeiAr && parag0d of the GulfTech Security Research Team.
http://www.gulftech.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC