************************************************************************
****************************
CRIOLABS

- Software: Password protect
- Type: User Authentication
- Company: Web Animations
- Date: 30-8-2004

************************************************************************
****************************

## Software ##

Software: Password protect
Versions: All
Languaje: ASP
Plataforms: Win nt, 2000, xp
Web: http://www.webanimations.com.au/

The ultimate protection including unlimited user names and passwords each checking their individual
ip address. You can add 1 ip address or include a range for the users with various IP address's
when they log in.

## Affected part ##

- ChangePassword.asp (XSS in ShowMsg, SQL Injection in LoginId and OPass variables)
- index.asp (XSS in ShowMsg)
- index_next.asp (SQL Injection in admin and Pass variables)
- users_list.asp (XSS in ShowMsg variable)
- users_add.asp (XSS in ShowMsg variable, SQL Injection)
- users_edit.asp (XSS, SQL Injection)

## Vulnerabilities ##

### SQL Injection ###

A remote user can use an sql-injection attack to login as admin or manipulate the database.
index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are affected.


Example:

/adminSection/index_next.asp?
admin = (SQLInjection) Pass = (SQLInjection)

/adminSection/ChangePassword.asp?
LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection) CPass=(SQLInjection)

### Cross-site Scripting ###

This software do not filter HTML code from user-supplied input in some scripts.


Example:

/adminSection/index.asp?ShowMsg=(XSS)
/adminSection/ChangePassword.asp?ShowMsg=(XSS)
/adminSection/users_list.asp?ShowMsg=(XSS)
/adminSection/users_add.asp?ShowMsg=(XSS)

## History ##

Vendor contacted: Fri, 06 Aug 2004, no response.

## Credits ##

Criolabs staff
http://www.criolabs.net

Original advisory and proof of concept in http://www.criolabs.net/advisories/passprotect.txt

[ reply ]