[ZH2005-13SA] NEXTWEB (i)Site website management multiple vulnerabilities
ZH2005-13SA (security advisory): NEXTWEB (i)Site? multiple vulnerabilities
Published: 1 June 2005 - GOOD MONTH EVERYBODY ;-)
Released: 1 June 2005
Name: (i)Site?
Affected Versions: ALL
Issue: SQL injections, exception handling, unsafe directories
Author: Trash-80 - dpangalos@xxxxxxxxxx
Vendor: http://www.nextweb.gr & http://www.isite.gr
Description
***********
Zone-H Security Team has discovered multiple vulnerabilities in (i)Site website
management system. An expensive web application with high-profiled customers.
Unsafe directories, SQL injection vulnerabilities, failures to validate user
inputs and to handle exceptional conditions were found in (i)Site.
Details
*******
1. SQL injection in login.asp
You are able to bypass the authentication process by sending a crafted
username and password that changes the SQL query in login.asp and thus
grants you with access to the administration of (i)Site.
e.g. www.victim.com/admin/login.asp
usename: attacker
password: ' or 'a'='a
2. Databases are not located in a safe directory. Remote scanners used for
malicious intends are checking for unsafe database directories. Locating the
databases out of the webroot is a good solution. Thus, downloading Users.mdb
file discloses me the administrator's username and password.
e.g www.victim.com/databases/Users.mdb
3. Failure to handle exceptional conditions and validating user inputs. The
following will cause an error 500 for a few minutes.
e.g. www.victim.com/isite/page/*.asp?mu=&cmu='
Solution:
*********
Vendor has been contacted on May 24th.
Since then, vendor did not reply to a series of e-mails informing him about the
vulnerabilities in (i)Site.
Trash-80 form Zone-H Security Labs - dpangalos@xxxxxxxxxx - zetalabs@xxxxxxxxxx