Exploitalert - Database of Exploits

Multiple Vulnerabilities In IdealBB ASP Bulletin Board

CVE	Category	Price	Severity
CVE-2009-4599	CWE-79	$N/A	High

Author	Risk	Exploitation Type	Date
Vulnerability Lab	High	Remote	2006-05-13

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2006050068

======================================================================== = CodeScan Advisory, codescan.com <advisories (at) codescan (dot) com [email concealed]> = = Multiple Vulnerabilities In IdealBB ASP Bulletin Board = = Vendor Website: = http://www.idealscience.com = = Affected Version: = Version 1.5.4a And Earlier = = Researched By = CodeScan Labs <advisories (at) codescan (dot) com [email concealed]> = = Public disclosure on May 8th, 2006 ======================================================================== == Overview == CodeScan Labs (www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input. During the ongoing testing of CodeScan ASP, IdealBB ASP Bulletin Board was selected as one of the test applications. This advisory is the result of research into the security of IdealBB, based on the report generated by the CodeScan tool. == Vulnerability Details == * File Reading * A vulnerability leading to the viewing of any file under the web root was discovered. The vulnerable code syntax is a call to the OpenTextFile method of the Scripting.FileSystemObject with user supplied input passed as the file to read. * File Uploading * Four file uploading vulnerabilities were discovered, allowing a remote user to upload files containing ASP code. One of the vulnerable instances attempts to check that the extension is of an allowed type. It does this by checking the extension against a list of known good. While the list does not include the .asp extension it does include .asa. This means a user can upload a file with a .asa extension that contains ASP scripting that will be executed when the uploaded file is accessed. All of the instances are vulnerable to the ASP Null Byte problem as documented in http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads. pdf All the instances use code similar to that shown below to validate the extension against a list of allowed. [ Start Pseudo Code ] theExtension = right(sFileName, len(sFileName) - instrrev(sFileName, ".")) bFileExtensionIsValid = false'assume extension is bad for each sFileExt in oProps.extensions if ucase(sFileExt) = ucase(sFileExtension) then 'if the extensions match, it's good. stop checking bFileExtensionIsValid = True exit for end if next [ End Pseudo Code ] The CreateTextFile method of the Scripting.FileSystemObject is then used to write the contents of the upload to a file. * SQL Injection * More than 50 SQL Injection vulnerabilities were located during the CodeScan analysis. Most of these were caused due to unfiltered user supplied input appended directly to calls to stored procedures. [ Start Pseudo Code ] SQLstr = "sp_someStoredProc " & ID record.Open SQLstr,DB_CONNECTION,0,1 [ End Pseudo Code ] In some cases the user supplied input was passed through a function used to escape the ' character. Exploitation was still possible though as the concatenated SQL string did not place the input inside quotes. [ Start Pseudo Code ] function validateInput(theString) theString = replace(theString, "'", "''") .. end function SQLstr = "sp_anotherStoredProc " & validateInput(ID) record.Open SQLstr,DB_CONNECTION,0,1 [ End Pseudo Code ] * Cross Site Scripting * Numerous cross site scripting vulnerabilities were discovered where user supplied input was outputted directly back to the browser. == Solutions == CodeScan Labs has been in contact with the vendor and a new version of the software has been released to address a number of the discovered vulnerabilities. Users are advised to upgrade to the latest version from http://www.idealscience.com == Credit == Discovered and advised to the vendor by CodeScan Labs == About CodeScan Labs Ltd == CodeScan Labs is a specialist security research and development organisation, that has developed the cornerstone application, CodeScan. CodeScan Labs helps organisations secure their web services through the automated scanning of the web application source code for security vulnerabilities. The CodeScan product is currently available for ASP and PHP(Beta) CodeScan Labs operates with Responsible Disclosure. As a result, any published advisories will contain information around problems identified by CodeScan, that have been resolved by the vendor.Additional code problems which may be identified by CodeScan or its staff which are not resolved by the vendor will not be made publicly available. e-mail protected and scanned by Bizo Email Filter - powered by Advascan

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.