[webapps / 0day] - VisualSite CMS v1.3 Multiple Vulnerabilit
Posted on 25 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>VisualSite CMS v1.3 Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 25 Sep 2010 | Exploit category: webapps / 0day | Exploit author: Abysssec | Inj3ct0r exploit database' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================ VisualSite CMS v1.3 Multiple Vulnerabilities ============================================ Affected Version : VisualSite 1.3 Discovery : www.abysssec.com Download Links : http://sourceforge.net/projects/visualsite/ Login Page : http://Example.com/Admin/Default.aspx Description : =========================================================================================== This version of Visual Site CMS have Multiple Valnerabilities : 1- Logical Bug for Lock Admin's Login 2- Persistent XSS in admin section Logical Bug for Lock Admin's Login: =========================================================================================== If you enter this values in Login Page (http://Example.com/Admin/Default.aspx) three times during five minutes , the Admin's login will be locked: Username : 1' or '1'='1 Password : foo Vulnerable Code is in this file: ../App_Code/VisualSite/DAL.cs Ln 378: public static User GetUser(string username) { User result = null; DataTable matches = ExecuteRowset(String.Format("SELECT [ID], [Username], [Password], [LockedDate] FROM [User] WHERE [Username] = '{0}'", Sanitise(username))); if (matches != null && matches.Rows.Count > 0) { ... } return result; } Persistent XSS in admin section: =========================================================================================== In Edit Section which is accessible to Admin, it is possible to enter a script in Description field that only executed in the following path and never executed in other situations: http://Example.com/SearchResults.aspx?q={} =========================================================================================== # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-25]</pre></body></html>
