[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CJWSoft ASPGuest GuestBook 'edit.asp' - SQL Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CJWSoft ASPGuest GuestBook 'edit.asp' - SQL Injection Vulnerability
From: demonalex@xxxxxxx
Date: Thu, 23 Feb 2012 17:04:52 GMT

Title: CJWSoft ASPGuest GuestBook 'edit.asp' - SQL Injection Vulnerability

Product : CJWSoft ASPGuest GuestBook

Version : Free Version

Vendor: http://www.cjwsoft.com/aspguest/default.asp

Class:  Input Validation Error  

CVE:
 
Remote:  Yes  

Local:  No  

Published:  2012-02-24

Updated:  

Impact : Medium (CVSSv2 Base : 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P)

Bug Description :
Page 'edit.asp' of CJWSoft ASPGuest GuestBook(Free Version) is vulnerable with 
Security Access Control Bypass and SQL Injection Vulnerability.

POC:
#-------------------------------------------------------------
1) Security Access Control Bypass
Page 'edit.asp' is a page for editing message as administrator privilege, but 
it can be viewed without authentication by everyone.

2) SQL Injection
http://victim/guestbook/admin/edit.asp?ID=8 and 1=1
http://victim/guestbook/admin/edit.asp?ID=8 and 1=2
etc...
#-------------------------------------------------------------

Advice:
1) Add 'Session()' for authentication into 'edit.asp'.
2) Use 'cint()' for converting type of ID into 'edit.asp'.

Credits : This vulnerability was discovered by demonalex@xxxxxxx
mail: demonalex@xxxxxxx / ChaoYi.Huang@xxxxxxxxxxxxxxxx
Pentester/Researcher
Dark2S Security Team/PolyU.HK

Prev by Date: Cisco Security Advisory: Cisco Small Business SRP 500 Series Multiple Vulnerabilities
Next by Date: [SECURITY] [DSA 2416-1] notmuch security update
Previous by thread: Cisco Security Advisory: Cisco Small Business SRP 500 Series Multiple Vulnerabilities
Next by thread: [SECURITY] [DSA 2416-1] notmuch security update
Index(es):
- Date
- Thread