AOH :: HP Unsorted B :: BU-1517.HTM

Blaze Apps Multiple Vulnerabilities



Blaze Apps Multiple Vulnerabilities
Blaze Apps Multiple Vulnerabilities



##########################www.BugReport.ir######################################## 
#
#        AmnPardaz Security Research Team
#
# Title:=09=09Blaze Apps Multiple Vulnerabilities
# Vendor:=09=09http://blazeapps.codeplex.com 
# Vulnerable Version:=091.4.0.051909 (and prior versions)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
###################################################################################

####################
- Description:
####################

Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and  
C# as backend languages
and uses Microsoft SQL Server as its DBMS.

####################
- Vulnerability:
####################

+--> MS SQL Server 2005 SQL Injection
+--/-- 1>
=09There is an SQL Injection vulenarability in the site search module.
=09The code can be find in "/BlazeApps/Usercontrols/Search.ascx" file.
=09Submitting search criteria will cause subroutine "uxSubmitButton_Click"
=09in the file "/BlazeApps/Usercontrols/Search.ascx.vb" to be executed.
=09Then it will use "uxSearchTextBox" input element value (POST Variable) and
=09the "tagname" input value (POST Variable) without escaping, in a query.
=09The exact place of injection bug is at lines 67 and 69.

=09NOTE: In query creating phase, all security notes are maintained. In the file
=09"/BlazeApps.Library/Search/PageSearch.cs" at lines 20 and 30 the
=09query parameters are all escaped in a prepared sql statement.
=09But (only) in the search module, the where clause is created manually before
=09reaching the DB utility code!!!
+--/-- 2>
=09In the "/BlazeApps/App_Code/BlazeKBSVC.vb" file at lines 19 and 37
=09the "SearchString" function parameter is not escaped before using in  
the query.
=09Again the bug is (only) from the high level logic code and the  
underlying db utility
=09escape everything correctly.

+--> Stored XSS Vulnerablity
=09The post page of the site's forum save posts without any check on the input.
=09In file "/BlazeApps/Usercontrols/Forum/addpost.ascx.vb" line 121
=09the "uxAddPostTextbox" input value is not sanitiezd.

####################
- Exploits/PoCs:
####################

+--> Exploiting SQL Injection Vulnerablites:
=09You can use "aa' OR **** OR 'a'='1" injection vector for exploiting  
above bugs (replacing
=09the **** with a desired query). For exp. "aa' OR 1=1 OR '1'='1" will  
show everything
=09in the search response page.
=09This vulenarability can be used for extracting admin password by  
Blind SQL Injection.
=09Using "aa' OR @Condition OR 'a'='1" as the injection vector, the  
result page for the search
=09will be empty if @Condition be false and will show all links if  
@Condition be true.
=09So we can replace @Condition with a query like
=09   EXISTS (SELECT * FROM blazedb.dbo.aspnet_Membership WHERE  
(LEN(Password) < 32) AND UserId=??)
=09and then brout force on the length and then on each character of the  
password (Of course
=09we need first extract the user id from username by another query like  
above and then fill ?? with
=09the user id of the admin which is the same process).

+--> Exploiting The Stored XSS Vulnerablity:
=09It can be exploited by posting a vector like "" to the forum.
=09(see "/BlazeApps/Usercontrols/Forum/addpost.ascx.vb")

####################
- Solution:
####################

Edit the source code to ensure that inputs are properly sanitized for  
SQL injection.
For the XSS you should whitelist the input messages.

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_66.htm 

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir 
www.AmnPardaz.com 



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.