Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  glFusion <= 1.1.2 COM_applyFilter()
/cookies remote blind sql injection exploit

  Q2 Solutions ConnX - SQL Injection Vulnerability

  [OPENX-SA-2009-002] OpenX 2.4.11, 2.6.5, 2.8.0 fix multiple vulnerabilities

  OpenX 2.6.4 multiple vulnerabilities

From:Patrick Webster <patrick_(at)_aushack.com>
Date:3 апреля 2009 г.
Subject:Asbru Web Content Management Vulnerabilities

aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
02-Apr-2009

Software:
Asbru Software - Asbru Web Content Management
http://www.asbrusoft.com/

"Ready to use, full-featured, database-driven web content management system
 (CMS) with integrated community, databases, e-commerce and statistics modules
 for creating, publishing and managing rich and user-friendly
Internet, Extranet
 and Intranet websites."

Versions tested:
6.5 and 6.6.9 have been confirmed as vulnerable in the ASP release.
Other versions are untested. The vendor reports JSP, PHP, ASPX immune.

Vulnerability discovered:

SQL Injection & XSS

Vulnerability impact:

High - SQL Injection in backend database. Impact depends on the
          security and configuration of the database. It may be possible
          to execute code using functons such as xp_cmdshell in poorly
          configured hosts. Other attacks possible include obtaining the
          CMS admin username and password from the database and
          subsequently uploading code or modifying the page content.

Vulnerability information:

The 'id' GET parameter of 'page.asp', 'stylesheet.asp' and 'file.asp' is
vulnerable to numeric based blind SQL injection.

Example:

 http://[victim]/page.asp?id=1         <-- main page
 http://[victim]/page.asp?id=1 AND 1=2 <-- returns blank (false)
 http://[victim]/page.asp?id=1 AND 1=1 <-- main page (true)

 XSS in the 'url' parameter of 'login.asp':

 Example:

 http://[victim]/webadmin/login.
asp?url="><script>alert(document.cookie)</script>

References:
aushack.com advisory
http://www.aushack.com/200904-asbru.txt

Credit:
Patrick Webster ( [email protected] )

Disclosure timeline:
28-Oct-2008 - Discovered during audit.
27-Nov-2008 - Notified vendor.
28-Nov-2008 - Vendor releases patch.
02-Apr-2009 - Disclosure.

EOF

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород