The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
========================================================================
= CodeScan Advisory, codescan.com <advisories (at) codescan (dot) com [email concealed]>
=
= Multiple Vulnerabilities In ASPPortal.net
=
= Vendor Website:
= http://www.aspportal.net
=
= Affected Version:
= Version 3.00
=
= Researched By
= CodeScan Labs <advisories (at) codescan (dot) com [email concealed]>
=
= Public disclosure on March 15th, 2006
========================================================================
== Overview ==
CodeScan Labs (www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.
During the ongoing testing of CodeScan ASP, ASPPortal v3.00 was selected
as one of the test applications.
This advisory is the result of research into the security of ASPPortal,
based on the report generated by the CodeScan tool.
== Vulnerability Details ==
More than 10 SQL injection vulnerabilities were discovered in the
application that could be exploited by either unauthenticated users,
or from a normal user account.
Most of the SQL calls were done without any sort of filtering such
as is shown in this code snippet;
------------------------------------------------------------------
sql = "SELECT Forums_Reply.Reply_ID, Forums_Reply.Topic_ID,
Forums_Reply.Author,users.Firstname, users.Lastname,
users.Email, users.Signature, users.Active,
Forums_Reply.Reply_Message, Forums_Reply.Enable_Sign,
Forums_Reply.Enable_EMail, Forums_Reply.Date_Added,
Forums_Reply.IsActive FROM Forums_Reply INNER JOIN
users ON Forums_Reply.Author =users.User_id
Where Topic_ID=" & request("topic") & ""
set rs1 = cn.Execute(sql)
------------------------------------------------------------------
The previous code was found to be vulnerable if the following
conditions were met;
request("mail")="ON" &
request("newreply")="Create Reply" &
request("page_type")=1
Over 50 cross site scripting vulnerabilities were discovered throughout
the application. These were either the use of direct output of user
input such as;
<%=request("error")%>
or user input displayed using response.write
response.write "details has been sent to "&request("getemail")
== Solutions ==
CodeScan Labs has been in contact with the vendor and a new version
of the software has been released to address a number of the discovered
vulnerabilities.
Users are advised to upgrade to the latest version from
http://www.aspportal.net
== Credit ==
Discovered and advised to the vendor by CodeScan Labs
== About CodeScan Labs Ltd ==
CodeScan Labs is specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP
and PHP(Beta)
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum