Aenovo Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Aenovo Multiple Vulnerabilities
From: advisory@xxxxxxxx
Date: 7 Oct 2005 10:40:43 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Aenovo Multiple Vulnerabilities

[KAPDA::#3] - Aenovo - Multiple Vulnerabilities

KAPDA New advisory

Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions),

AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions) 

Vendor: http://www.aenovo.co.uk/

Risk: High

Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss)

About Aenovo
--------------------
   aeNovo is a collection of sophisticated web pages 

that allows you to have a website that's as big and

as elaborate as you make it. Once your aeNovo 

files are moved to your web space you can add, delete

and amend pages, images and all manner of files

 all THROUGH THE BROWSER.

        Vendor`s description : http://www.aenovo.co.uk/introduction.asp

Discussion :
----------------
  Several scripts do not properly validate user-supplied

input. A remote user can create specially crafted

parameter values that will execute SQL commands on the

underlying database.Also it is possible to Inject Html scripts

in vulnerable page.

  One the most Important rules in Application security is 

confidentiality  of stored passwords.To achive this goal 

Applications ( Including web apps) encrypt passwords and

store crypted hashes.This application suffer from Clear Text

Password Storage.
 
   As we know and tested all versions of Aenovo , Aenovoshop   

and aeNovoWYSI are vulnerable.


Vulnerabilities:
--------------------

[1] Sql injection in   /password/default.asp  (/user/control.asp) 

at parameter named 'password'.Attacker can enter Sql to login

to system as low-level user.
        
[2]Clear Password Storage at 'control','content' and 'pages' tables.

[3]Sql injection in /search.asp (/incs/searchdisplay.asp)

at parameter named 'strSQL'.

[4]Xss can be found in most of active server pages 

which get and render user-supplied input.

Proof of Concepts:
--------------------

[1]
<html>
<h1>Aenovo Login-Bypass PoC -  Kapda `s advisory </h1>
<p>     Discovery and exploit by farhadkey [at}  kapda.ir</p>
<p><a href="http://www.kapda.ir/";>      Kapda - Security Science Researchers 
Institute 
of Iran</a></p>
<form method="POST" action="http://target/user/control.asp";>
<input type="hidden" name="password" value="[SQL Injection]" >
<input type="submit" value="Submit" name="B1">
<input type="hidden" name="test" value="1">
</form></html>

[3] 
AeNovo :Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]

AeNovoShop:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]


AeNovoWYSI:Lists username and password of administrators
http://target/search.asp?strSQL=[SQL Injection]

Solution:
--------------------
No patch`s released yet by vendor.
This advisory is reported to Vendor about one month ago.

More Detail:
--------------------
http://www.kapda.ir/advisory-78.html
Visit above link for more details.

Credit :
--------------------
Farhad Koosha & Devil_box 
devil_box [at}  kapda.ir
farhadkey [at}  kapda.ir
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)

Prev by Date: Re: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
Next by Date: [ GLSA 200510-07 ] RealPlayer, Helix Player: Format string vulnerability
Previous by thread: MDKSA-2005:175 - Updated texinfo packages fix temporary file vulnerability
Next by thread: [ GLSA 200510-07 ] RealPlayer, Helix Player: Format string vulnerability
Index(es):
- Date
- Thread