passprotect.txt

2004-09-02T00:00:00
ID PACKETSTORM:34225
Type packetstorm
Reporter criolabs.net
Modified 2004-09-02T00:00:00

Description

                                        
                                            `****************************************************************************************************  
CRIOLABS   
  
- Software: Password protect   
- Type: User Authentication  
- Company: Web Animations  
- Date: 30-8-2004  
  
  
****************************************************************************************************  
  
  
## Software ##  
  
Software: Password protect   
Versions: All   
Languaje: ASP  
Plataforms: Win nt, 2000, xp   
Web: http://www.webanimations.com.au/  
  
  
The ultimate protection including unlimited user names and passwords each checking their individual  
ip address. You can add 1 ip address or include a range for the users with various IP address's   
when they log in.   
  
  
  
## Affected part ##   
  
- ChangePassword.asp (XSS in showmsg, SQL Injection in LoginId and OPass variables)  
- index.asp (XSS in showmsg)  
- index_next.asp (SQL Injection in admin and Pass variables)  
- users_list.asp (XSS in showmsg variable)  
- users_add.asp (XSS in showmsg variable, SQL Injection)  
- users_edit.asp (XSS, SQL Injection)  
  
  
  
## Vulnerabilities ##  
  
  
### SQL Injection ###  
  
A remote user can use an sql-injection attack to login as admin or manipulate the database.  
index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are affected.  
  
  
Example:  
  
/adminSection/index_next.asp?  
admin = (SQLInjection) Pass = (SQLInjection)   
  
/adminSection/ChangePassword.asp?  
LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection) CPass=(SQLInjection)  
  
  
Proof of Concept:  
  
Login Id:'or''='  
Password:'or''='  
  
Login Id: admin  
Password:'or''='  
  
  
  
### Cross-site Scripting ###  
  
This software do not filter HTML code from user-supplied input in some scripts.  
  
  
Example:  
  
/adminSection/index.asp?ShowMsg=(XSS)  
/adminSection/ChangePassword.asp?ShowMsg=(XSS)  
/adminSection/users_list.asp?showmsg=(XSS)  
/adminSection/users_add.asp?showmsg=(XSS)   
  
  
  
  
## History ##  
  
Vendor contacted: Fri, 06 Aug 2004, no response.   
  
  
  
## Credits ##  
  
Criolabs staff  
http://www.criolabs.net   
`