SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   SiteEnable Vendors:   Iatek
SiteEnable Lets Remote Users Inject SQL Commands and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013631
SecurityTracker URL:  http://securitytracker.com/id/1013631
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 2 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   Zinho from Hackers Center Security Group reported some input validation vulnerabilities in SiteEnable. A remote user can inject SQL commands on conduct cross-site scripting attacks.

The 'content.asp' script does not properly validate user-supplied input in the 'sortby' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

A demonstration exploit URL is provided:

http://[target]/content.asp?do_search=0&keywords=contact&page_no=2&sortby=;SELECT%20* FROM bla bla--

The 'contenttype' parameter is not properly validated. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SiteEnable software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/content.asp?contenttype=%3Cscript%3Ealert(document.cookie)%3C/script%3E

The title and description fields in the 'Submit a Quote' page are also not properly validated, allowing cross-site scripting attacks.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SiteEnable software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.siteenable.com/default.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [HSC Security group] SiteEnable XSS and SQL injection


--Alt-Boundary-29920.9701600
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body

Hackers Center Security Group (http://www.hackerscenter.com/)    
Zinho's Security Advisory     


Title: SiteEnable CMS Multiple Severe XSS and Sql injections
Risk: High  
Date: 1/04/2005    
Vendor: http://www.siteenable.com/default.asp
Quote from the Vendor: "SiteEnable starts at only $189.00"


I could test siteenable from their online demo: demo.siteenable.com
and after some minute I realized I was on another buggy cms.

---+ XSS:
http://demo.siteenable.com/content.asp?contenttype=%3Cscript%3Ealert(document.coo
kie)%3C/script%3E

Another more severe script injection is in the Submit a Quote page in which neither title 
or description fields are sanitized. This can affect all the visitors of the site.
Anyone can inject a silent script and grab anyone's password or cookie.

----+ SQL Injection:
http://demo.siteenable.com/content.asp?do_search=0&keywords=contact&page_no=2&
sortby=;SELECT%20* FROM bla bla--

The sortby parameter is directly passed to the sql string without any check. This is sentor 
of mental illness...


Once again I've not thoroughly tested SiteEnable for a time matter and because they do 
not provide source code (it is sold at 189$). Probably other vulns can be found.


Author:     
Zinho is webmaster and founder of http://www.hackerscenter.com ,   Security research  
portal   
Secure Web Hosting Companies Reviewed:  
http://www.securityforge.com/web-hosting/secure-web-hosting.asp  

zinho-no-spam @ hackerscenter.com    


====>
Webmaster of
.:[ Hackers Center : Internet Security Portal]:.
http://www.hackerscenter.com
http://www.securityforge.com/web-hosting
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC