MOAUB #25 - VisualSite CMS v1.3 Multiple Vulnerabilities

Iniciado por juh, 26 Septiembre 2010, 06:04 AM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

juh

26 Septiembre 2010, 06:04 AM
Código [Seleccionar]
'''
  __  __  ____         _    _ ____
|  \/  |/ __ \   /\  | |  | |  _ \
| \  / | |  | | /  \ | |  | | |_) |
| |\/| | |  | |/ /\ \| |  | |  _ <
| |  | | |__| / ____ \ |__| | |_) |
|_|  |_|\____/_/    \_\____/|____/

http://www.exploit-db.com/moaub-25-visualsite-cms-multiple-vulnerabilities/
 
'''

Abysssec Inc Public Advisory
 
 
  Title            :  VisualSite CMS Multiple Vulnerabilities
  Affected Version :  VisualSite 1.3
  Discovery        :  www.abysssec.com
  Download Links   :  http://sourceforge.net/projects/visualsite/
  Login Page       :  http://Example.com/Admin/Default.aspx
 
Description :
===========================================================================================     
  This version of Visual Site CMS have Multiple Valnerabilities :
        1- Logical Bug for Lock Admin's Login
        2- Persistent XSS in admin section


Logical Bug for Lock Admin's Login:
===========================================================================================   

  If you enter this values in Login Page (http://Example.com/Admin/Default.aspx)
  three times during five minutes , the Admin's login will be locked:

    Username : 1' or '1'='1
    Password : foo
   

  Vulnerable Code is in this file:
                ../App_Code/VisualSite/DAL.cs
  Ln 378:
                public static User GetUser(string username)
            {
                  User result = null;
                  DataTable matches = ExecuteRowset(String.Format("SELECT [ID], [Username], [Password], [LockedDate] FROM [User] WHERE [Username] = '{0}'", Sanitise(username)));
                  if (matches != null && matches.Rows.Count > 0)
                   {
                     ...
                   }
                  return result;
                 }



Persistent XSS in admin section:
===========================================================================================   
  In Edit Section which is accessible to Admin, it is possible to enter a script in Description field
  that only executed in the following path and never executed in other situations:

     http://Example.com/SearchResults.aspx?q={}


===========================================================================================
Let`s the terror begin!!!
Imprimir
Ir Arriba Páginas1
Acciones del Usuario