**************************************************************************************************** CRIOLABS - Software: Password protect - Type: User Authentication - Company: Web Animations - Date: 30-8-2004 **************************************************************************************************** ## Software ## Software: Password protect Versions: All Languaje: ASP Plataforms: Win nt, 2000, xp Web: http://www.webanimations.com.au/ The ultimate protection including unlimited user names and passwords each checking their individual ip address. You can add 1 ip address or include a range for the users with various IP address's when they log in. ## Affected part ## - ChangePassword.asp (XSS in showmsg, SQL Injection in LoginId and OPass variables) - index.asp (XSS in showmsg) - index_next.asp (SQL Injection in admin and Pass variables) - users_list.asp (XSS in showmsg variable) - users_add.asp (XSS in showmsg variable, SQL Injection) - users_edit.asp (XSS, SQL Injection) ## Vulnerabilities ## ### SQL Injection ### A remote user can use an sql-injection attack to login as admin or manipulate the database. index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are affected. Example: /adminSection/index_next.asp? admin = (SQLInjection) Pass = (SQLInjection) /adminSection/ChangePassword.asp? LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection) CPass=(SQLInjection) Proof of Concept: Login Id:'or''=' Password:'or''=' Login Id: admin Password:'or''=' ### Cross-site Scripting ### This software do not filter HTML code from user-supplied input in some scripts. Example: /adminSection/index.asp?ShowMsg=(XSS) /adminSection/ChangePassword.asp?ShowMsg=(XSS) /adminSection/users_list.asp?showmsg=(XSS) /adminSection/users_add.asp?showmsg=(XSS) ## History ## Vendor contacted: Fri, 06 Aug 2004, no response. ## Credits ## Criolabs staff http://www.criolabs.net