Password Protect XSS and SQL-Injection vulnerabilities.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Password Protect XSS and SQL-Injection vulnerabilities.
From: Criolabs <security@xxxxxxxxxxxx>
Date: Mon, 30 Aug 2004 19:16:46 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

****************************************************************************************************
                                             CRIOLABS  

- Software:   Password protect   
- Type:       User Authentication
- Company:    Web Animations
- Date:       30-8-2004


****************************************************************************************************


## Software ##

Software:   Password protect     
Versions:   All  
Languaje:   ASP
Plataforms: Win nt, 2000, xp 
Web:        http://www.webanimations.com.au/


The ultimate protection including unlimited user names and passwords each 
checking their individual
ip address. You can add 1 ip address or include a range for the users with 
various IP address's 
when they log in.    



## Affected part ## 

- ChangePassword.asp     (XSS in ShowMsg, SQL Injection in LoginId and OPass 
variables)
- index.asp              (XSS in ShowMsg)
- index_next.asp         (SQL Injection in admin and Pass variables)
- users_list.asp         (XSS in ShowMsg variable)
- users_add.asp          (XSS in ShowMsg variable, SQL Injection)
- users_edit.asp         (XSS, SQL Injection)



## Vulnerabilities ##


        ### SQL Injection ###

        A remote user can use an sql-injection attack to login as admin or 
manipulate the database.
        index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are 
affected.
        
        
        Example:
        
        /adminSection/index_next.asp?
        admin = (SQLInjection) Pass = (SQLInjection)  
        
        /adminSection/ChangePassword.asp?
        LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection) 
CPass=(SQLInjection)   
        


        ### Cross-site Scripting ###
        
        This software do not filter HTML code from user-supplied input in some 
scripts.
        
        
        Example:

        /adminSection/index.asp?ShowMsg=(XSS)
        /adminSection/ChangePassword.asp?ShowMsg=(XSS)
        /adminSection/users_list.asp?ShowMsg=(XSS)
        /adminSection/users_add.asp?ShowMsg=(XSS)       
        



## History ##

Vendor contacted: Fri, 06 Aug 2004, no response. 



## Credits ##

Criolabs staff
http://www.criolabs.net 

Original advisory and proof of concept in 
http://www.criolabs.net/advisories/passprotect.txt

Prev by Date: [ GLSA 200409-06 ] eGroupWare: Multiple XSS vulnerabilities
Next by Date: [ GLSA 200409-02 ] MySQL: Insecure temporary file creation in mysqlhotcopy
Previous by thread: [ GLSA 200409-06 ] eGroupWare: Multiple XSS vulnerabilities
Next by thread: [ GLSA 200409-02 ] MySQL: Insecure temporary file creation in mysqlhotcopy
Index(es):
- Date
- Thread