Multiple Vulnerabilities In IdealBB ASP Bulletin Board

2006.05.12
Credit: CodeScan Labs
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

======================================================================== = CodeScan Advisory, codescan.com <advisories (at) codescan (dot) com [email concealed]> = = Multiple Vulnerabilities In IdealBB ASP Bulletin Board = = Vendor Website: = http://www.idealscience.com = = Affected Version: = Version 1.5.4a And Earlier = = Researched By = CodeScan Labs <advisories (at) codescan (dot) com [email concealed]> = = Public disclosure on May 8th, 2006 ======================================================================== == Overview == CodeScan Labs (www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input. During the ongoing testing of CodeScan ASP, IdealBB ASP Bulletin Board was selected as one of the test applications. This advisory is the result of research into the security of IdealBB, based on the report generated by the CodeScan tool. == Vulnerability Details == * File Reading * A vulnerability leading to the viewing of any file under the web root was discovered. The vulnerable code syntax is a call to the OpenTextFile method of the Scripting.FileSystemObject with user supplied input passed as the file to read. * File Uploading * Four file uploading vulnerabilities were discovered, allowing a remote user to upload files containing ASP code. One of the vulnerable instances attempts to check that the extension is of an allowed type. It does this by checking the extension against a list of known good. While the list does not include the .asp extension it does include .asa. This means a user can upload a file with a .asa extension that contains ASP scripting that will be executed when the uploaded file is accessed. All of the instances are vulnerable to the ASP Null Byte problem as documented in http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads. pdf All the instances use code similar to that shown below to validate the extension against a list of allowed. [ Start Pseudo Code ] theExtension = right(sFileName, len(sFileName) - instrrev(sFileName, ".")) bFileExtensionIsValid = false 'assume extension is bad for each sFileExt in oProps.extensions if ucase(sFileExt) = ucase(sFileExtension) then 'if the extensions match, it's good. stop checking bFileExtensionIsValid = True exit for end if next [ End Pseudo Code ] The CreateTextFile method of the Scripting.FileSystemObject is then used to write the contents of the upload to a file. * SQL Injection * More than 50 SQL Injection vulnerabilities were located during the CodeScan analysis. Most of these were caused due to unfiltered user supplied input appended directly to calls to stored procedures. [ Start Pseudo Code ] SQLstr = "sp_someStoredProc " & ID record.Open SQLstr,DB_CONNECTION,0,1 [ End Pseudo Code ] In some cases the user supplied input was passed through a function used to escape the ' character. Exploitation was still possible though as the concatenated SQL string did not place the input inside quotes. [ Start Pseudo Code ] function validateInput(theString) theString = replace(theString, "'", "''") .. end function SQLstr = "sp_anotherStoredProc " & validateInput(ID) record.Open SQLstr,DB_CONNECTION,0,1 [ End Pseudo Code ] * Cross Site Scripting * Numerous cross site scripting vulnerabilities were discovered where user supplied input was outputted directly back to the browser. == Solutions == CodeScan Labs has been in contact with the vendor and a new version of the software has been released to address a number of the discovered vulnerabilities. Users are advised to upgrade to the latest version from http://www.idealscience.com == Credit == Discovered and advised to the vendor by CodeScan Labs == About CodeScan Labs Ltd == CodeScan Labs is a specialist security research and development organisation, that has developed the cornerstone application, CodeScan. CodeScan Labs helps organisations secure their web services through the automated scanning of the web application source code for security vulnerabilities. The CodeScan product is currently available for ASP and PHP(Beta) CodeScan Labs operates with Responsible Disclosure. As a result, any published advisories will contain information around problems identified by CodeScan, that have been resolved by the vendor.Additional code problems which may be identified by CodeScan or its staff which are not resolved by the vendor will not be made publicly available. e-mail protected and scanned by Bizo Email Filter - powered by Advascan


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top