Asbru Web Content Management - SQL Injection and XSS
Release Date:
02-Apr-2009
Software:
Asbru Software - Asbru Web Content Management
http://www.asbrusoft.com/
"Ready to use, full-featured, database-driven web content management system
(CMS) with integrated community, databases, e-commerce and statistics modules
for creating, publishing and managing rich and user-friendly Internet, Extranet
and Intranet websites."
Versions tested:
6.5 and 6.6.9 have been confirmed as vulnerable in the ASP release.
Other versions are untested. The vendor reports JSP, PHP, ASPX immune.
Vulnerability discovered:
SQL Injection & XSS
Vulnerability impact:
High - SQL Injection in backend database. Impact depends on the
security and configuration of the database. It may be possible
to execute code using functons such as xp_cmdshell in poorly
configured hosts. Other attacks possible include obtaining the
CMS admin username and password from the database and
subsequently uploading code or modifying the page content.
Vulnerability information:
The 'id' GET parameter of 'page.asp', 'stylesheet.asp' and 'file.asp' is
vulnerable to numeric based blind SQL injection.
Example:
http://[victim]/page.asp?id=1 <-- main page
http://[victim]/page.asp?id=1 AND 1=2 <-- returns blank (false)
http://[victim]/page.asp?id=1 AND 1=1 <-- main page (true)
XSS in the 'url' parameter of 'login.asp':
Example:
http://[victim]/webadmin/login.asp?url="><script>alert(document.cookie)</script>
Credit:
Patrick Webster
Disclosure timeline:
28-Oct-2008 - Discovered during audit.
27-Nov-2008 - Notified vendor.
28-Nov-2008 - Vendor releases patch.
02-Apr-2009 - Disclosure.
02-Apr-2009
Software:
Asbru Software - Asbru Web Content Management
http://www.asbrusoft.com/
"Ready to use, full-featured, database-driven web content management system
(CMS) with integrated community, databases, e-commerce and statistics modules
for creating, publishing and managing rich and user-friendly Internet, Extranet
and Intranet websites."
Versions tested:
6.5 and 6.6.9 have been confirmed as vulnerable in the ASP release.
Other versions are untested. The vendor reports JSP, PHP, ASPX immune.
Vulnerability discovered:
SQL Injection & XSS
Vulnerability impact:
High - SQL Injection in backend database. Impact depends on the
security and configuration of the database. It may be possible
to execute code using functons such as xp_cmdshell in poorly
configured hosts. Other attacks possible include obtaining the
CMS admin username and password from the database and
subsequently uploading code or modifying the page content.
Vulnerability information:
The 'id' GET parameter of 'page.asp', 'stylesheet.asp' and 'file.asp' is
vulnerable to numeric based blind SQL injection.
Example:
http://[victim]/page.asp?id=1 <-- main page
http://[victim]/page.asp?id=1 AND 1=2 <-- returns blank (false)
http://[victim]/page.asp?id=1 AND 1=1 <-- main page (true)
XSS in the 'url' parameter of 'login.asp':
Example:
http://[victim]/webadmin/login.asp?url="><script>alert(document.cookie)</script>
Credit:
Patrick Webster
Disclosure timeline:
28-Oct-2008 - Discovered during audit.
27-Nov-2008 - Notified vendor.
28-Nov-2008 - Vendor releases patch.
02-Apr-2009 - Disclosure.
