Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

getintranet.txt

🗓️ 14 Sep 2004 00:00:00Reported by criolabs.netType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

getIntranet is a communication tool with vulnerabilities including SQL injections and cross-site scripting.

Code
`****************************************************************************************************  
CRIOLABS   
  
- Software: getIntranet   
- Type: E-business:Intranet  
- Company: getSolutions  
- Date: 09-9-2004  
  
  
****************************************************************************************************  
  
  
#Software: getIntranet.  
#Platform: ASP, Microsoft SQL.  
#Comments: Administration section (Not Tested)  
  
  
  
## Description ##  
  
getIntranet is a rapidly deployable Intranet-in-a-box: a feature-rich, cost-effective, robust communication tool that any  
company can deploy to assist in managing time-consuming tasks (e.g., document and content management, customer and  
supplier information, online leave forms and company reports).  
  
  
  
## Vulnerabilities ##   
  
Multiple SQL-Injections, Cross-Site Scripting, ID spoof, File upload vulnerability, ASP code execution on the server,  
Privilege escalation vulnerability, ID bruteforce.  
  
  
## Multiple SQL-Injections ##  
  
A lot of problems of sanitation could lead an attacker to inject SQL code to manipulate and disclose various information  
from the database.  
  
An attacker could execute commands in the system via xp_cmdshell function of Microsoft SQL Server.  
  
  
/welcome.asp?id=[SQL]  
  
/welcome.asp?page=search.asp&search=[SQL]  
  
/welcome.asp?page=content_display.asp&id=[SQL]  
  
/welcome.asp?page=customer_list.asp&ctype=[SQL]  
  
/welcome.asp?page=calendar_add.asp&id=[SQL]  
  
/welcome.asp?action=invitation&calendarid=[SQL]&ans=1  
  
/welcome.asp?page=employee_detail.asp&lid=&id=[SQL]  
  
/welcome.asp?page=customer_list.asp&ctype=[SQL]  
  
/welcome.asp?page=front_calendar_display.asp&ctype=[SQL]  
  
/welcome.asp?page=calendar_display.asp&id=[SQL]  
  
/welcome.asp?page=front_content_display.asp&ctype=[SQL]  
  
/welcome.asp?page=message_send.asp&id=[SQL]  
  
/welcome.asp?action=delmessage&id=[SQL]  
  
/welcome.asp?page=message.asp&id=[SQL]  
  
  
  
## Cross-Site Scripting ##  
  
In (Send Message) the injection of malicious code is possible in the subject and comments fields directly.  
An attacker can submit specially crafted text so that when a target user views certain pages on the service,  
arbitrary scripting code will be executed by the target user's browser, allowing the attacker to modify user profiles,  
redirect to another page, stolen cookies...  
  
The same problem exists in the calendar and any type of comment in the software.  
Also, a remote attacker could inject a XSS in the register form, that would be executed when the admin logs on.  
  
  
## ID Spoof ##  
  
An attacker can view and delete any user directory, archives, mails, simply changing the (id) and (lid) variables.  
  
#Example:  
  
/welcome.asp?id=30&ctype=1&lid=f30&page=folder_detail.asp  
/welcome.asp?page=message.asp&id=4  
/welcome.asp?action=delmessage&id=3  
  
  
## File Upload vulnerability and ASP Code Execution on the Server ##  
  
Fileupload.asp permits remote authenticated users to upload files to the server.  
Once the file has been uploaded, a remote user can execute the code by calling the file, the code will execute  
with the privileges of the web server.  
  
  
  
## Form Upload Example:  
  
<form method="post" action="http://VULNERABLEHOST/fileupload.asp" enctype="multipart/form-data" id="form1" name="form1">  
<input type="hidden" name="t1" value="25"><input type="hidden" name="t2" value="13">  
<input type="file" name="file" value="" size="20" class="formitem">   
<textarea name="t3" size="20" class="textarea" rows="5" cols="40"></textarea>   
<input type="hidden" name="t4" value="1">  
<input type="hidden" name="flds" value="4"><input type="hidden" name="proc" value="sp_login_upload_write">  
<input type="hidden" name="lid" value=""><input type="hidden" name="upload" value="upload"><input type="hidden" name="customer" value="">  
<input type="hidden" name="page" value="login_detail.asp"><input type="hidden" name="basepage" value="welcome.asp"></td>  
<input type="submit" name="Action" value="Upload" class="formitembutton">  
</form>  
  
  
  
## Privilege Escalation Vulnerability ##  
  
A remote authenticated user can do a Privilege escalation in "Update my details" if change the T47 variable to 4  
(Super Admin) instead 1.  
  
  
## ID Bruteforce ##  
  
In lostpassword.asp you need three parameters to retrieve a lost password (Name, Surname, ID Number),  
Name and Surname are easily obtained, the attacker could bruteforce the ID number in hours and hijack an account.  
  
  
## History ##  
  
Vendor contacted Tue, 13 Jul 2004.  
  
  
  
## Credits ##  
  
Criolabs staff  
http://www.criolabs.net   
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Sep 2004 00:00Current
7.4High risk
Vulners AI Score7.4
getintranet softwaresql injection vulnerabilitiescross-site scriptingdocument management toolprivilege escalation
30