exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

aenovoSQL.txt

aenovoSQL.txt
Posted Oct 8, 2005
Authored by DevilBox, Farhad Koosha | Site kapda.ir

Aenovo is susceptible to multiple SQL injection and cross site scripting vulnerabilities. Details provided.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | 43a29a44230d7d18568c832c99fa41dce36ae895792641634b5197bb81828619

aenovoSQL.txt

Change Mirror Download
Aenovo Multiple Vulnerabilities

[KAPDA::#3] - Aenovo - Multiple Vulnerabilities

KAPDA New advisory

Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions),

AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions)

Vendor: http://www.aenovo.co.uk/

Risk: High

Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss)

About Aenovo
--------------------
aeNovo is a collection of sophisticated web pages

that allows you to have a website that's as big and

as elaborate as you make it. Once your aeNovo

files are moved to your web space you can add, delete

and amend pages, images and all manner of files

all THROUGH THE BROWSER.

Vendor`s description : http://www.aenovo.co.uk/introduction.asp

Discussion :
----------------
Several scripts do not properly validate user-supplied

input. A remote user can create specially crafted

parameter values that will execute SQL commands on the

underlying database.Also it is possible to Inject Html scripts

in vulnerable page.

One the most Important rules in Application security is

confidentiality of stored passwords.To achive this goal

Applications ( Including web apps) encrypt passwords and

store crypted hashes.This application suffer from Clear Text

Password Storage.

As we know and tested all versions of Aenovo , Aenovoshop

and aeNovoWYSI are vulnerable.


Vulnerabilities:
--------------------

[1] Sql injection in /password/default.asp (/user/control.asp)

at parameter named 'password'.Attacker can enter Sql to login

to system as low-level user.

[2]Clear Password Storage at 'control','content' and 'pages' tables.

[3]Sql injection in /search.asp (/incs/searchdisplay.asp)

at parameter named 'strSQL'.

[4]Xss can be found in most of active server pages

which get and render user-supplied input.

Proof of Concepts:
--------------------

[1]
<html>
<h1>Aenovo Login-Bypass PoC - Kapda `s advisory </h1>
<p> Discovery and exploit by farhadkey [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute
of Iran</a></p>
<form method="POST" action="http://target/user/control.asp">
<input type="hidden" name="password" value="[SQL Injection]" >
<input type="submit" value="Submit" name="B1">
<input type="hidden" name="test" value="1">
</form></html>

[3]
AeNovo :Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]

AeNovoShop:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]


AeNovoWYSI:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]

Solution:
--------------------
No patch`s released yet by vendor.
This advisory is reported to Vendor about one month ago.

More Detail:
--------------------
http://www.kapda.ir/advisory-78.html
Visit above link for more details.

Credit :
--------------------
Farhad Koosha & Devil_box
devil_box [at} kapda.ir
farhadkey [at} kapda.ir
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close