Release Date: 02-Apr-2009
Software: Asbru Software - Asbru Web Content Management http://www.asbrusoft.com/
"Ready to use, full-featured, database-driven web content management system (CMS) with integrated community, databases, e-commerce and statistics modules for creating, publishing and managing rich and user-friendly Internet, Extranet and Intranet websites."
Versions tested: 6.5 and 6.6.9 have been confirmed as vulnerable in the ASP release. Other versions are untested. The vendor reports JSP, PHP, ASPX immune.
SQL Injection & XSS
High - SQL Injection in backend database. Impact depends on the security and configuration of the database. It may be possible to execute code using functons such as xp_cmdshell in poorly configured hosts. Other attacks possible include obtaining the CMS admin username and password from the database and subsequently uploading code or modifying the page content.
The 'id' GET parameter of 'page.asp', 'stylesheet.asp' and 'file.asp' is vulnerable to numeric based blind SQL injection.
http://[victim]/page.asp?id=1 <-- main page http://[victim]/page.asp?id=1 AND 1=2 <-- returns blank (false) http://[victim]/page.asp?id=1 AND 1=1 <-- main page (true)
XSS in the 'url' parameter of 'login.asp':
References: aushack.com advisory http://www.aushack.com/200904-asbru.txt
Credit: Patrick Webster ( firstname.lastname@example.org )
Disclosure timeline: 28-Oct-2008 - Discovered during audit. 27-Nov-2008 - Notified vendor. 28-Nov-2008 - Vendor releases patch. 02-Apr-2009 - Disclosure.