ZH2005-13SA.txt

`  
  
ZH2005-13SA (security advisory): NEXTWEB (i)Site™ multiple vulnerabilities  
Published: 1 June 2005 - GOOD MONTH EVERYBODY ;-)  
  
Released: 1 June 2005  
  
Name: (i)Site™   
  
Affected Versions: ALL  
  
Issue: SQL injections, exception handling, unsafe directories  
  
Author: Trash-80 - [email protected]  
  
Vendor: http://www.nextweb.gr & http://www.isite.gr  
  
  
  
Description  
  
***********  
  
Zone-H Security Team has discovered multiple vulnerabilities in (i)Site website management system. An expensive web application with high-profiled customers. Unsafe directories, SQL injection vulnerabilities, failures to validate user inputs and to handle exceptional conditions were found in (i)Site.  
  
  
Details  
  
*******   
  
  
1. SQL injection in login.asp  
  
You are able to bypass the authentication process by sending a crafted  
username and password that changes the SQL query in login.asp and thus  
grants you with access to the administration of (i)Site.  
  
  
e.g. www.victim.com/admin/login.asp  
usename: attacker  
password: ' or 'a'='a  
  
  
2. Databases are not located in a safe directory. Remote scanners used for malicious intends are checking for unsafe database directories. Locating the databases out of the webroot is a good solution. Thus, downloading Users.mdb file discloses me the administrator's username and password.  
  
  
e.g www.victim.com/databases/Users.mdb  
  
  
3. Failure to handle exceptional conditions and validating user inputs. The following will cause an error 500 for a few minutes.  
  
  
e.g. www.victim.com/isite/page/*.asp?mu=&cmu='  
  
  
Solution:  
  
*********  
  
Vendor has been contacted on May 24th.  
Since then, vendor did not reply to a series of e-mails informing him about the vulnerabilities in (i)Site.  
  
  
Trash-80 form Zone-H Security Labs - [email protected] - [email protected]  
  
`