OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] AspTopSites SQL injection

From: Morning Wood (se_cur_ityhotmail.com)
Date: Tue Jan 10 2006 - 13:25:04 CST


------------------------------------------------------------
    - EXPL-A-2006-001 exploitlabs.com Advisory 047 -
------------------------------------------------------------
                         - AspTopSites -

AFFECTED PRODUCTS
=================
AspTopSites
http://www.maine-net.com/aspts.asp

OVERVIEW
========
AspTopSites® runs on your Windows NT/2K/2003 Server
 and uses Active Server Pages with a MS Access 2000 database.
 Simply upload AspTopSites®, make one configuration setting
 and you're ready to start running your own TopSites traffic
 generator. AspTopSites® comes with full source code...
 no encoding or DLLs need to be installed on the server.

DETAILS
=======
1. SQL Injection

AspTopSites does not filter SQL resulting in
full access to the user manager menu.

POC
===

1.
---

entering SQL Injection type statement in the password field
causes the statement to be true.

http://[host]/topsites/default.asp <--- view listings
http://[host]/topsites/goto.asp?id=43 <--- mouseover id value
http://[host]/topsites/includeloginuser.asp <--- login here
user: [ id value ]
password: 'or'

note: Vendor Demo Site is Vuln

SOLUTION:
=========
vendor contact:
Jan 3, 2006 willsmaine-net.com ( no resp )
Jan 10, 2006 ( no resp => release )

Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

Donnie Werner

mail: wood at exploitlabs.com
mail: morning_wood at zone-h.org
--
web: http://exploitlabs.com
web: http://zone-h.org

http://www.exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/