SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   ASP Portal Vendors:   ASP Portal
ASP Portal Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015772
SecurityTracker URL:  http://securitytracker.com/id/1015772
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.00
Description:   A vulnerability was reported in ASP Portal. A remote user can inject SQL commands.

The software does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The software also does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ASP Portal software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

CodeScan Labs discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ASP Portal software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has released a fixed version (3.1.0), available at:

http://www.aspportal.net/content/downloads/download.asp

Vendor URL:  www.aspportal.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] CodeScan Advisory: Multiple Vulnerabilities In

This is a multi-part message in MIME format...

------------=_1142383915-809-302
Content-Class: urn:content-classes:message
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

========================================================================
= CodeScan Advisory, codescan.com <advisories@codescan.com>
= 
= Multiple Vulnerabilities In ASPPortal.net
=
= Vendor Website: 
= http://www.aspportal.net
=
= Affected Version:
=    Version 3.00
=
= Researched By
=    CodeScan Labs <advisories@codescan.com>
=
= Public disclosure on March 15th, 2006
========================================================================

== Overview ==

CodeScan Labs (www.codescan.com), has recently released a new source 
code scanning tool, CodeScan. CodeScan is an advanced auditing tool 
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing 
execution paths and tracking the flow of user supplied input.

During the ongoing testing of CodeScan ASP, ASPPortal v3.00 was selected
as one of the test applications.

This advisory is the result of research into the security of ASPPortal,
based on the report generated by the CodeScan tool.

== Vulnerability Details ==

More than 10 SQL injection vulnerabilities were discovered in the 
application that could be exploited by either unauthenticated users, 
or from a normal user account.

Most of the SQL calls were done without any sort of filtering such
as is shown in this code snippet;
------------------------------------------------------------------
  sql = "SELECT Forums_Reply.Reply_ID, Forums_Reply.Topic_ID, 
         Forums_Reply.Author,users.Firstname, users.Lastname, 
         users.Email, users.Signature, users.Active, 
         Forums_Reply.Reply_Message, Forums_Reply.Enable_Sign, 
         Forums_Reply.Enable_EMail, Forums_Reply.Date_Added, 
         Forums_Reply.IsActive FROM Forums_Reply INNER JOIN 
         users ON Forums_Reply.Author =users.User_id 
         Where Topic_ID=" & request("topic") & ""
  set rs1 = cn.Execute(sql)
------------------------------------------------------------------
The previous code was found to be vulnerable if the following 
conditions were met;
    request("mail")="ON" & 
    request("newreply")="Create Reply"  & 
    request("page_type")=1

Over 50 cross site scripting vulnerabilities were discovered throughout
the application. These were either the use of direct output of user
input such as;

	<%=request("error")%>

or user input displayed using response.write

	response.write "details has been sent to "&request("getemail")

== Solutions ==

CodeScan Labs has been in contact with the vendor and a new version
of the software has been released to address a number of the discovered
vulnerabilities.

Users are advised to upgrade to the latest version from 
   http://www.aspportal.net	 
 
== Credit ==

Discovered and advised to the vendor by CodeScan Labs

== About CodeScan Labs Ltd ==

CodeScan Labs is specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities.  The CodeScan product is currently available for ASP
and PHP(Beta)



e-mail protected and scanned by Bizo Email Filter - powered by Advascan



------------=_1142383915-809-302
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------=_1142383915-809-302--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC