Bugtraq mailing list archives
[ZH2005-13SA] NEXTWEB (i)Site website management multiple vulnerabilities
From: Jim Pangalos <dpangalos () linuxmail org>
Date: 1 Jun 2005 15:40:28 -0000
ZH2005-13SA (security advisory): NEXTWEB (i)Site multiple vulnerabilities Published: 1 June 2005 - GOOD MONTH EVERYBODY ;-) Released: 1 June 2005 Name: (i)Site Affected Versions: ALL Issue: SQL injections, exception handling, unsafe directories Author: Trash-80 - dpangalos () zone-h org Vendor: http://www.nextweb.gr & http://www.isite.gr Description *********** Zone-H Security Team has discovered multiple vulnerabilities in (i)Site website management system. An expensive web application with high-profiled customers. Unsafe directories, SQL injection vulnerabilities, failures to validate user inputs and to handle exceptional conditions were found in (i)Site. Details ******* 1. SQL injection in login.asp You are able to bypass the authentication process by sending a crafted username and password that changes the SQL query in login.asp and thus grants you with access to the administration of (i)Site. e.g. www.victim.com/admin/login.asp usename: attacker password: ' or 'a'='a 2. Databases are not located in a safe directory. Remote scanners used for malicious intends are checking for unsafe database directories. Locating the databases out of the webroot is a good solution. Thus, downloading Users.mdb file discloses me the administrator's username and password. e.g www.victim.com/databases/Users.mdb 3. Failure to handle exceptional conditions and validating user inputs. The following will cause an error 500 for a few minutes. e.g. www.victim.com/isite/page/*.asp?mu=&cmu=' Solution: ********* Vendor has been contacted on May 24th. Since then, vendor did not reply to a series of e-mails informing him about the vulnerabilities in (i)Site. Trash-80 form Zone-H Security Labs - dpangalos () zone-h org - zetalabs () zone-h org
Current thread:
- [ZH2005-13SA] NEXTWEB (i)Site website management multiple vulnerabilities Jim Pangalos (Jun 01)