========================================================================
= CodeScan Advisory, codescan.com <advisories@codescan.com>
= 
= Multiple Vulnerabilities In IdealBB ASP Bulletin Board
=
= Vendor Website: 
= http://www.idealscience.com
=
= Affected Version:
=    Version 1.5.4a And Earlier
=
= Researched By
=    CodeScan Labs <advisories@codescan.com>
=
= Public disclosure on May 8th, 2006
========================================================================

== Overview ==

CodeScan Labs (www.codescan.com), has recently released a new source 
code scanning tool, CodeScan. CodeScan is an advanced auditing tool 
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing 
execution paths and tracking the flow of user supplied input.

During the ongoing testing of CodeScan ASP, IdealBB ASP Bulletin Board
was selected as one of the test applications.

This advisory is the result of research into the security of IdealBB,
based on the report generated by the CodeScan tool.

== Vulnerability Details ==

* File Reading *

A vulnerability leading to the viewing of any file under the web root
was discovered. The vulnerable code syntax is a call to the OpenTextFile
method of the Scripting.FileSystemObject with user supplied input passed
as the file to read.

* File Uploading * 

Four file uploading vulnerabilities were discovered, allowing a remote
user to upload files containing ASP code. 

One of the vulnerable instances attempts to check that the extension is
of an allowed type. It does this by checking the extension against a 
list of known good. While the list does not include the .asp extension
it does include .asa. This means a user can upload a file with a .asa
extension that contains ASP scripting that will be executed when the
uploaded file is accessed.

All of the instances are vulnerable to the ASP Null Byte problem as
documented in 
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf

All the instances use code similar to that shown below to validate the
extension against a list of allowed.

[ Start Pseudo Code ]

  theExtension = right(sFileName, len(sFileName) - instrrev(sFileName, "."))
  bFileExtensionIsValid = false  'assume extension is bad
  for each sFileExt in oProps.extensions
    if ucase(sFileExt) = ucase(sFileExtension) then
      'if the extensions match, it's good. stop checking
      bFileExtensionIsValid = True
      exit for
    end if
  next

[ End Pseudo Code ]

The CreateTextFile method of the Scripting.FileSystemObject is then used
to write the contents of the upload to a file. 

* SQL Injection * 

More than 50 SQL Injection vulnerabilities were located during the CodeScan
analysis. Most of these were caused due to unfiltered user supplied input
appended directly to calls to stored procedures.

[ Start Pseudo Code ]

  SQLstr = "sp_someStoredProc " & ID
  record.Open SQLstr,DB_CONNECTION,0,1

[ End Pseudo Code ]

In some cases the user supplied input was passed through a function used
to escape the ' character. Exploitation was still possible though as
the concatenated SQL string did not place the input inside quotes.

[ Start Pseudo Code ]
  function validateInput(theString)
    theString = replace(theString, "'", "''")
    ..
  end function

  SQLstr = "sp_anotherStoredProc " & validateInput(ID)
  record.Open SQLstr,DB_CONNECTION,0,1

[ End Pseudo Code ]


* Cross Site Scripting * 

Numerous cross site scripting vulnerabilities were discovered where
user supplied input was outputted directly back to the browser.

== Solutions ==

CodeScan Labs has been in contact with the vendor and a new version
of the software has been released to address a number of the discovered
vulnerabilities. 

Users are advised to upgrade to the latest version from 
   http://www.idealscience.com   
 
== Credit ==

Discovered and advised to the vendor by CodeScan Labs

== About CodeScan Labs Ltd ==

CodeScan Labs is a specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities.  The CodeScan product is currently available for ASP
and PHP(Beta)

CodeScan Labs operates with Responsible Disclosure. As a result, 
any published advisories will contain information around problems 
identified by CodeScan, that have been resolved by the vendor.Additional 
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor will not be made publicly available.

 



e-mail protected and scanned by Bizo Email Filter - powered by Advascan