Expinion Member Management System Input Validation Holes Let Remote Users Inject SQL and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1009508|
SecurityTracker URL: http://securitytracker.com/id/1009508
(Links to External Site)
Updated: Apr 1 2004|
Original Entry Date: Mar 20 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Manuel Lopez reported some vulnerabilities in Expinion Member Management System. A remote user can inject SQL commands and conduct cross-site scripting attacks.|
It is reported that the 'resend.asp' and 'news_view.asp' scripts do not properly validate user-supplied input in the 'ID' parameter. A remote user can reportedly supply a specially crafted URL to execute SQL commands on the underlying database. Some demonstration exploit URLs are provided:
It is also reported that some scripts do not filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Member Management System software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Member Management System software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
The vendor has issued a fix.|
Vendor URL: www.expinion.net/software/app_mms.asp (Links to External Site)
Input validation error|
|Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)|
Source Message Contents
Subject: Vulnerabilities in Member Management System 2.1|
-----BEGIN PGP SIGNED MESSAGE-----
#Title: Vulnerabilities in Member Management System 2.1
#Software: Member Management System 2.1
#Impact: Disclosure of authentication information, Disclosure of user
information, Execution of arbitrary code via network, Modification of user
and admin information, User access via network.
#Underlying OS: Windows NT, Windows 2000, Windows 2003 or Windows XP
Quickly secure pages or portions of your web site from unregistered
visitors. Easy to integrate security into existing sites! Login to admin to
send 'Expiry Notices', upload & download user data, capture member activity,
browser & os info, add optional fields, send subscriber newsletters, group &
relate people, verify email addresses?
Input Validation Holes Permit SQL Injection and Cross-Site Scripting
A problem of sanitation in resend.asp, news_view.asp, could lead an attacker
to inject SQL code to manipulate and disclose information from the database.
The same problem is present in administration site in more scripts.
Another problem of sanitation permits an attacker inject a XSS in the
register form (register.asp), this will be executed at the administration
site permitting the attacker to modify or delete data.
Also is possible a XSS attack in error.asp.
Example to delete a user:
In the register form: "><iframe src=http://[host]/admin/user_del.asp?ID=[ID
Vendor contacted, the vulnerabilities will be addressed very soon.
Thanks to Vladimir S. Pekulas.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1
-----END PGP SIGNATURE-----