Calisto Light / Light Plus / Full SQL Injection

Calisto Light / Light Plus / Full SQL Injection: Posted Aug 12, 2011; Authored by Lostmon | Site lostmon.blogspot.com; Calisto Light, Light Plus, and Full suffers from administrative bypass and remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, sql injection; SHA-256 | 6b5158d5c7d3a860cc1ea59a756fa71ccbc90ce73468252dbb4ab96b12573fdd; Download | Favorite | View

Calisto Light / Light Plus / Full SQL Injection

##################################################
Calisto light, light plus and full, Sql Injection And user or Admin bypass
Vendor URL: http://www.calistosoft.com.ar/
Advisore: http://lostmon.blogspot.com/2011/08/calisto-light-light-plus-and-full-sql.html
Vendor notify: YES exploit available: YES
##################################################


##########################
Vulnerability Description
##########################

Calisto Light, Light Plus and Full contains a flaw that may
allow an attacker to carry out an SQL injection attack. The
issue is due to the script not properly sanitizing user-supplied
input to 'usuario' form field and "txtEmail' param upon submision
to 'login.aspx' and '/admin/loginAdmin.aspx' This may allow an
attacker to inject or manipulate SQL queries in the backend database.

################
Versions afected
################

Calisto Light
Calisto Light plus
Calisto Full

######################
Proof Of Concept
######################

this issue can be used to bypass admin validation or user validation

1- If an attacker writes in 'Usuario' box:

someword'or'1'='1'
and click in login button. wen the aplication post to 'login.aspx'
it shows a nice SQL warning but if write:

someword'or'1'='1'--

it bypass validation. if anyones know a user email, then he can
log as this user :)

2- If an attacker writes in 'usuario' box from admin section:

Admin'or'1'='1'--

And click in login button wen the aplication post to
'/admin/loginAdmin.aspx' it bypass Admin validation. :)


################
Solution
###############

No solution was available at this time.
I have send four emails to calistosoft via his webform
and info and support mails to get initial contact but
they haven't respond :(

###############
Timeline
###############

Discovered :  30-07-2011
Vendor Notify: 7-08-2011
Vendor response: no response.
Workarround patch: no patch
Vendor Patch: no patch
Public Disclosure: 11-08-2011

########################## €nd ########################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Top Authors In Last 30 Days

Red Hat 223 files
indoushka 169 files
Jay Turla 150 files
Ubuntu 76 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Debian 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,123)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,174)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,794)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,842)
UNIX (9,454)
UnixWare (188)
Windows (6,771)
Other

Calisto Light / Light Plus / Full SQL Injection

Calisto Light / Light Plus / Full SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Calisto Light / Light Plus / Full SQL Injection

Share This

Calisto Light / Light Plus / Full SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems