VisualSite CMS v1.3 Multiple Vulnerabilities

2010-09-26T00:00:00
ID 1337DAY-ID-14194
Type zdt
Reporter Abysssec
Modified 2010-09-26T00:00:00

Description

Exploit for asp platform in category web applications

                                        
                                            ============================================
VisualSite CMS v1.3 Multiple Vulnerabilities
============================================

  Affected Version :  VisualSite 1.3
  Discovery        :  www.abysssec.com
  Download Links   :  http://sourceforge.net/projects/visualsite/
  Login Page       :  http://Example.com/Admin/Default.aspx
  
Description :
===========================================================================================     
  This version of Visual Site CMS have Multiple Valnerabilities :
        1- Logical Bug for Lock Admin's Login
        2- Persistent XSS in admin section
 
 
Logical Bug for Lock Admin's Login:
===========================================================================================    
 
  If you enter this values in Login Page (http://Example.com/Admin/Default.aspx)
  three times during five minutes , the Admin's login will be locked:
 
    Username : 1' or '1'='1
    Password : foo
   
 
  Vulnerable Code is in this file:
                ../App_Code/VisualSite/DAL.cs
  Ln 378:
                public static User GetUser(string username)
            {
                  User result = null;
                  DataTable matches = ExecuteRowset(String.Format("SELECT [ID], [Username], [Password], [LockedDate] FROM [User] WHERE [Username] = '{0}'", Sanitise(username)));
                  if (matches != null && matches.Rows.Count > 0)
                   {
                     ...
                   }
                  return result;
                 }
 
 
 
Persistent XSS in admin section:
===========================================================================================    
  In Edit Section which is accessible to Admin, it is possible to enter a script in Description field
  that only executed in the following path and never executed in other situations:
 
     http://Example.com/SearchResults.aspx?q={}
 
 
===========================================================================================



#  0day.today [2018-03-20]  #