aenovoSQL.txt

`Aenovo Multiple Vulnerabilities  
  
[KAPDA::#3] - Aenovo - Multiple Vulnerabilities  
  
KAPDA New advisory  
  
Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions),  
  
AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions)   
  
Vendor: http://www.aenovo.co.uk/  
  
Risk: High  
  
Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss)  
  
About Aenovo  
--------------------  
aeNovo is a collection of sophisticated web pages   
  
that allows you to have a website that's as big and  
  
as elaborate as you make it. Once your aeNovo   
  
files are moved to your web space you can add, delete  
  
and amend pages, images and all manner of files  
  
all THROUGH THE BROWSER.  
  
Vendor`s description : http://www.aenovo.co.uk/introduction.asp  
  
Discussion :  
----------------  
Several scripts do not properly validate user-supplied  
  
input. A remote user can create specially crafted  
  
parameter values that will execute SQL commands on the  
  
underlying database.Also it is possible to Inject Html scripts  
  
in vulnerable page.  
  
One the most Important rules in Application security is   
  
confidentiality of stored passwords.To achive this goal   
  
Applications ( Including web apps) encrypt passwords and  
  
store crypted hashes.This application suffer from Clear Text  
  
Password Storage.  
  
As we know and tested all versions of Aenovo , Aenovoshop   
  
and aeNovoWYSI are vulnerable.  
  
  
Vulnerabilities:  
--------------------  
  
[1] Sql injection in /password/default.asp (/user/control.asp)   
  
at parameter named 'password'.Attacker can enter Sql to login  
  
to system as low-level user.  
  
[2]Clear Password Storage at 'control','content' and 'pages' tables.  
  
[3]Sql injection in /search.asp (/incs/searchdisplay.asp)  
  
at parameter named 'strSQL'.  
  
[4]Xss can be found in most of active server pages   
  
which get and render user-supplied input.  
  
Proof of Concepts:  
--------------------  
  
[1]  
<html>  
<h1>Aenovo Login-Bypass PoC - Kapda `s advisory </h1>  
<p> Discovery and exploit by farhadkey [at} kapda.ir</p>  
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers Institute   
of Iran</a></p>  
<form method="POST" action="http://target/user/control.asp">  
<input type="hidden" name="password" value="[SQL Injection]" >  
<input type="submit" value="Submit" name="B1">  
<input type="hidden" name="test" value="1">  
</form></html>  
  
[3]   
AeNovo :Lists username and password of administrators  
http://target/search.asp?strSQL=[SQL Injection]  
  
AeNovoShop:Lists username and password of administrators  
http://target/search.asp?strSQL=[SQL Injection]  
  
  
AeNovoWYSI:Lists username and password of administrators  
http://target/search.asp?strSQL=[SQL Injection]  
  
Solution:  
--------------------  
No patch`s released yet by vendor.  
This advisory is reported to Vendor about one month ago.  
  
More Detail:  
--------------------  
http://www.kapda.ir/advisory-78.html  
Visit above link for more details.  
  
Credit :  
--------------------  
Farhad Koosha & Devil_box   
devil_box [at} kapda.ir  
farhadkey [at} kapda.ir  
Kapda - Security Science Researchers Insitute of Iran  
http://www.KAPDA.ir  
(PersianHacker.NET)  
`