Password Protect XSS and SQL-Injection vulnerabilities.

2004-09-03T00:00:00
ID SECURITYVULNS:DOC:6728
Type securityvulns
Reporter Securityvulns
Modified 2004-09-03T00:00:00

Description


                                         CRIOLABS
  • Software: Password protect
  • Type: User Authentication
  • Company: Web Animations
  • Date: 30-8-2004

Software

Software: Password protect
Versions: All
Languaje: ASP Plataforms: Win nt, 2000, xp Web: http://www.webanimations.com.au/

The ultimate protection including unlimited user names and passwords each checking their individual ip address. You can add 1 ip address or include a range for the users with various IP address's when they log in.

Affected part ##

  • ChangePassword.asp (XSS in ShowMsg, SQL Injection in LoginId and OPass variables)
  • index.asp (XSS in ShowMsg)
  • index_next.asp (SQL Injection in admin and Pass variables)
  • users_list.asp (XSS in ShowMsg variable)
  • users_add.asp (XSS in ShowMsg variable, SQL Injection)
  • users_edit.asp (XSS, SQL Injection)

Vulnerabilities

    ### SQL Injection ###

    A remote user can use an sql-injection attack to login as admin or manipulate the database.
    index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are affected.


    Example:

    /adminSection/index_next.asp?
    admin = (SQLInjection) Pass = (SQLInjection)

    /adminSection/ChangePassword.asp?
    LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection) CPass=(SQLInjection)



    ### Cross-site Scripting ###

    This software do not filter HTML code from user-supplied input in some scripts.


    Example:

    /adminSection/index.asp?ShowMsg=(XSS)
    /adminSection/ChangePassword.asp?ShowMsg=(XSS)
    /adminSection/users_list.asp?ShowMsg=(XSS)
    /adminSection/users_add.asp?ShowMsg=(XSS)

History

Vendor contacted: Fri, 06 Aug 2004, no response.

Credits

Criolabs staff http://www.criolabs.net

Original advisory and proof of concept in http://www.criolabs.net/advisories/passprotect.txt