<<< Date Index >>>     <<< Thread Index >>>

Password Protect XSS and SQL-Injection vulnerabilities.



****************************************************************************************************
                                             CRIOLABS  

- Software:   Password protect   
- Type:       User Authentication
- Company:    Web Animations
- Date:       30-8-2004


****************************************************************************************************


## Software ##

Software:   Password protect     
Versions:   All  
Languaje:   ASP
Plataforms: Win nt, 2000, xp 
Web:        http://www.webanimations.com.au/


The ultimate protection including unlimited user names and passwords each 
checking their individual
ip address. You can add 1 ip address or include a range for the users with 
various IP address's 
when they log in.    



## Affected part ## 

- ChangePassword.asp     (XSS in ShowMsg, SQL Injection in LoginId and OPass 
variables)
- index.asp              (XSS in ShowMsg)
- index_next.asp         (SQL Injection in admin and Pass variables)
- users_list.asp         (XSS in ShowMsg variable)
- users_add.asp          (XSS in ShowMsg variable, SQL Injection)
- users_edit.asp         (XSS, SQL Injection)



## Vulnerabilities ##


        ### SQL Injection ###

        A remote user can use an sql-injection attack to login as admin or 
manipulate the database.
        index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are 
affected.
        
        
        Example:
        
        /adminSection/index_next.asp?
        admin = (SQLInjection) Pass = (SQLInjection)  
        
        /adminSection/ChangePassword.asp?
        LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection) 
CPass=(SQLInjection)   
        


        ### Cross-site Scripting ###
        
        This software do not filter HTML code from user-supplied input in some 
scripts.
        
        
        Example:

        /adminSection/index.asp?ShowMsg=(XSS)
        /adminSection/ChangePassword.asp?ShowMsg=(XSS)
        /adminSection/users_list.asp?ShowMsg=(XSS)
        /adminSection/users_add.asp?ShowMsg=(XSS)       
        



## History ##

Vendor contacted: Fri, 06 Aug 2004, no response. 



## Credits ##

Criolabs staff
http://www.criolabs.net 

Original advisory and proof of concept in 
http://www.criolabs.net/advisories/passprotect.txt