getintranet.txt

2004-09-14T00:00:00
ID PACKETSTORM:34342
Type packetstorm
Reporter criolabs.net
Modified 2004-09-14T00:00:00

Description

                                        
                                            `****************************************************************************************************  
CRIOLABS   
  
- Software: getIntranet   
- Type: E-business:Intranet  
- Company: getSolutions  
- Date: 09-9-2004  
  
  
****************************************************************************************************  
  
  
#Software: getIntranet.  
#Platform: ASP, Microsoft SQL.  
#Comments: Administration section (Not Tested)  
  
  
  
## Description ##  
  
getIntranet is a rapidly deployable Intranet-in-a-box: a feature-rich, cost-effective, robust communication tool that any  
company can deploy to assist in managing time-consuming tasks (e.g., document and content management, customer and  
supplier information, online leave forms and company reports).  
  
  
  
## Vulnerabilities ##   
  
Multiple SQL-Injections, Cross-Site Scripting, ID spoof, File upload vulnerability, ASP code execution on the server,  
Privilege escalation vulnerability, ID bruteforce.  
  
  
## Multiple SQL-Injections ##  
  
A lot of problems of sanitation could lead an attacker to inject SQL code to manipulate and disclose various information  
from the database.  
  
An attacker could execute commands in the system via xp_cmdshell function of Microsoft SQL Server.  
  
  
/welcome.asp?id=[SQL]  
  
/welcome.asp?page=search.asp&search=[SQL]  
  
/welcome.asp?page=content_display.asp&id=[SQL]  
  
/welcome.asp?page=customer_list.asp&ctype=[SQL]  
  
/welcome.asp?page=calendar_add.asp&id=[SQL]  
  
/welcome.asp?action=invitation&calendarid=[SQL]&ans=1  
  
/welcome.asp?page=employee_detail.asp&lid=&id=[SQL]  
  
/welcome.asp?page=customer_list.asp&ctype=[SQL]  
  
/welcome.asp?page=front_calendar_display.asp&ctype=[SQL]  
  
/welcome.asp?page=calendar_display.asp&id=[SQL]  
  
/welcome.asp?page=front_content_display.asp&ctype=[SQL]  
  
/welcome.asp?page=message_send.asp&id=[SQL]  
  
/welcome.asp?action=delmessage&id=[SQL]  
  
/welcome.asp?page=message.asp&id=[SQL]  
  
  
  
## Cross-Site Scripting ##  
  
In (Send Message) the injection of malicious code is possible in the subject and comments fields directly.  
An attacker can submit specially crafted text so that when a target user views certain pages on the service,  
arbitrary scripting code will be executed by the target user's browser, allowing the attacker to modify user profiles,  
redirect to another page, stolen cookies...  
  
The same problem exists in the calendar and any type of comment in the software.  
Also, a remote attacker could inject a XSS in the register form, that would be executed when the admin logs on.  
  
  
## ID Spoof ##  
  
An attacker can view and delete any user directory, archives, mails, simply changing the (id) and (lid) variables.  
  
#Example:  
  
/welcome.asp?id=30&ctype=1&lid=f30&page=folder_detail.asp  
/welcome.asp?page=message.asp&id=4  
/welcome.asp?action=delmessage&id=3  
  
  
## File Upload vulnerability and ASP Code Execution on the Server ##  
  
Fileupload.asp permits remote authenticated users to upload files to the server.  
Once the file has been uploaded, a remote user can execute the code by calling the file, the code will execute  
with the privileges of the web server.  
  
  
  
## Form Upload Example:  
  
<form method="post" action="http://VULNERABLEHOST/fileupload.asp" enctype="multipart/form-data" id="form1" name="form1">  
<input type="hidden" name="t1" value="25"><input type="hidden" name="t2" value="13">  
<input type="file" name="file" value="" size="20" class="formitem">   
<textarea name="t3" size="20" class="textarea" rows="5" cols="40"></textarea>   
<input type="hidden" name="t4" value="1">  
<input type="hidden" name="flds" value="4"><input type="hidden" name="proc" value="sp_login_upload_write">  
<input type="hidden" name="lid" value=""><input type="hidden" name="upload" value="upload"><input type="hidden" name="customer" value="">  
<input type="hidden" name="page" value="login_detail.asp"><input type="hidden" name="basepage" value="welcome.asp"></td>  
<input type="submit" name="Action" value="Upload" class="formitembutton">  
</form>  
  
  
  
## Privilege Escalation Vulnerability ##  
  
A remote authenticated user can do a Privilege escalation in "Update my details" if change the T47 variable to 4  
(Super Admin) instead 1.  
  
  
## ID Bruteforce ##  
  
In lostpassword.asp you need three parameters to retrieve a lost password (Name, Surname, ID Number),  
Name and Surname are easily obtained, the attacker could bruteforce the ID number in hours and hijack an account.  
  
  
## History ##  
  
Vendor contacted Tue, 13 Jul 2004.  
  
  
  
## Credits ##  
  
Criolabs staff  
http://www.criolabs.net   
  
  
  
`