#Title: Vulnerabilities in Member Management System 2.1
#Software: Member Management System 2.1
#Vendor: http://www.expinion.net/software/app_mms.asp
#Impact: Disclosure of authentication information, Disclosure of user
information, Execution of arbitrary code via network, Modification of user
and admin information, User access via network.
#Underlying OS: Windows NT, Windows 2000, Windows 2003 or Windows XP
Professional/Server.
#Vendor Description:
Quickly secure pages or portions of your web site from unregistered
visitors. Easy to integrate security into existing sites! Login to admin to
send 'Expiry Notices', upload & download user data, capture member activity,
browser & os info, add optional fields, send subscriber newsletters, group &
relate people, verify email addresses?
#Vulnerabilities:
Input Validation Holes Permit SQL Injection and Cross-Site Scripting
Attacks.
#SQL Injection#
A problem of sanitation in resend.asp, news_view.asp, could lead an attacker
to inject SQL code to manipulate and disclose information from the database.
The same problem is present in administration site in more scripts.
Another problem of sanitation permits an attacker inject a XSS in the
register form (register.asp), this will be executed at the administration
site permitting the attacker to modify or delete data.
Also is possible a XSS attack in error.asp.
Example:
http://[host]/error.asp?err=">[XSS]
Example to delete a user:
In the register form: "><iframe src=http://[host]/admin/user_del.asp?ID=[ID
to delete]>
#Solution:
Vendor contacted, the vulnerabilities will be addressed very soon.
Thanks to Vladimir S. Pekulas.
http://www.expinion.net/software/app_mms.asp
#Credits:
Manuel López. mantra (at) gulo (dot) org [email concealed]
#Software: Member Management System 2.1
#Vendor: http://www.expinion.net/software/app_mms.asp
#Impact: Disclosure of authentication information, Disclosure of user
information, Execution of arbitrary code via network, Modification of user
and admin information, User access via network.
#Underlying OS: Windows NT, Windows 2000, Windows 2003 or Windows XP
Professional/Server.
#Vendor Description:
Quickly secure pages or portions of your web site from unregistered
visitors. Easy to integrate security into existing sites! Login to admin to
send 'Expiry Notices', upload & download user data, capture member activity,
browser & os info, add optional fields, send subscriber newsletters, group &
relate people, verify email addresses?
#Vulnerabilities:
Input Validation Holes Permit SQL Injection and Cross-Site Scripting
Attacks.
#SQL Injection#
A problem of sanitation in resend.asp, news_view.asp, could lead an attacker
to inject SQL code to manipulate and disclose information from the database.
The same problem is present in administration site in more scripts.
Examples:
http://[host]/resend.asp?ID=[SQL query]
http://[host]/news_view.asp?ID=[SQL query]
#Cross-Site Scripting#
Another problem of sanitation permits an attacker inject a XSS in the
register form (register.asp), this will be executed at the administration
site permitting the attacker to modify or delete data.
Also is possible a XSS attack in error.asp.
Example:
http://[host]/error.asp?err=">[XSS]
Example to delete a user:
In the register form: "><iframe src=http://[host]/admin/user_del.asp?ID=[ID
to delete]>
#Solution:
Vendor contacted, the vulnerabilities will be addressed very soon.
Thanks to Vladimir S. Pekulas.
http://www.expinion.net/software/app_mms.asp
#Credits:
Manuel López. mantra (at) gulo (dot) org [email concealed]
[ reply ]