SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Expinion Member Management System Vendors:   Expinion.net
Expinion Member Management System Input Validation Holes Let Remote Users Inject SQL and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009508
SecurityTracker URL:  http://securitytracker.com/id/1009508
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 1 2004
Original Entry Date:  Mar 20 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1
Description:   Manuel Lopez reported some vulnerabilities in Expinion Member Management System. A remote user can inject SQL commands and conduct cross-site scripting attacks.

It is reported that the 'resend.asp' and 'news_view.asp' scripts do not properly validate user-supplied input in the 'ID' parameter. A remote user can reportedly supply a specially crafted URL to execute SQL commands on the underlying database. Some demonstration exploit URLs are provided:

http://[host]/resend.asp?ID=[SQL query]
http://[host]/news_view.asp?ID=[SQL query]

It is also reported that some scripts do not filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Member Management System software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[host]/error.asp?err=">[XSS]

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Member Management System software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix.
Vendor URL:  www.expinion.net/software/app_mms.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Vulnerabilities in Member Management System 2.1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#Title:  Vulnerabilities in Member Management System 2.1

#Software:  Member Management System 2.1
#Vendor:  http://www.expinion.net/software/app_mms.asp
#Impact:  Disclosure of authentication information, Disclosure of user
information, Execution of arbitrary code via network, Modification of user
and admin information, User access via network.
#Underlying OS:  Windows NT, Windows 2000, Windows 2003 or Windows XP
Professional/Server.

#Vendor Description:

Quickly secure pages or portions of your web site from unregistered
visitors. Easy to integrate security into existing sites! Login to admin to
send 'Expiry Notices', upload & download user data, capture member activity,
browser & os info, add optional fields, send subscriber newsletters, group &
relate people, verify email addresses?

#Vulnerabilities:

Input Validation Holes Permit SQL Injection and Cross-Site Scripting
Attacks.

#SQL Injection#

A problem of sanitation in resend.asp, news_view.asp, could lead an attacker
to inject SQL code to manipulate and disclose information from the database.
The same problem is present in administration site in more scripts.

Examples:
http://[host]/resend.asp?ID=[SQL query]
http://[host]/news_view.asp?ID=[SQL query]

#Cross-Site Scripting#

Another problem of sanitation permits an attacker inject a XSS in the
register form (register.asp), this will be executed at the administration
site permitting the attacker to modify or delete data.
Also is possible a XSS attack in error.asp.

Example:
http://[host]/error.asp?err=">[XSS]
Example to delete a user:
In the register form: "><iframe src=http://[host]/admin/user_del.asp?ID=[ID
to delete]>

#Solution:

Vendor contacted, the vulnerabilities will be addressed very soon.
Thanks to Vladimir S. Pekulas.
http://www.expinion.net/software/app_mms.asp

#Credits:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1

iD8DBQFAXGbJlZD3/ZFHM4ERAssGAJ9ntcO+2ueghQsME6r/ZEWnH1ddTQCffpx8
Z2LjcPl8y8jwQc2Tiz91VXk=
=NduI
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC