Aenovo Multiple Vulnerabilities [KAPDA::#3] - Aenovo - Multiple Vulnerabilities KAPDA New advisory Vulnerable products : Aenovo(v Trial`s tested,Hopefully all other versions), AenovoShop and aeNovoWYSI (v Demo`s tested,Hopefully all other versions) Vendor: http://www.aenovo.co.uk/ Risk: High Vulnerability: Sql injection-Weak password storage-Cross site Scripting (xss) About Aenovo -------------------- aeNovo is a collection of sophisticated web pages that allows you to have a website that's as big and as elaborate as you make it. Once your aeNovo files are moved to your web space you can add, delete and amend pages, images and all manner of files all THROUGH THE BROWSER. Vendor`s description : http://www.aenovo.co.uk/introduction.asp Discussion : ---------------- Several scripts do not properly validate user-supplied input. A remote user can create specially crafted parameter values that will execute SQL commands on the underlying database.Also it is possible to Inject Html scripts in vulnerable page. One the most Important rules in Application security is confidentiality of stored passwords.To achive this goal Applications ( Including web apps) encrypt passwords and store crypted hashes.This application suffer from Clear Text Password Storage. As we know and tested all versions of Aenovo , Aenovoshop and aeNovoWYSI are vulnerable. Vulnerabilities: -------------------- [1] Sql injection in /password/default.asp (/user/control.asp) at parameter named 'password'.Attacker can enter Sql to login to system as low-level user. [2]Clear Password Storage at 'control','content' and 'pages' tables. [3]Sql injection in /search.asp (/incs/searchdisplay.asp) at parameter named 'strSQL'. [4]Xss can be found in most of active server pages which get and render user-supplied input. Proof of Concepts: -------------------- [1]
Discovery and exploit by farhadkey [at} kapda.ir
[3] AeNovo :Lists username and password of administrators http://target/search.asp?strSQL=[SQL Injection] AeNovoShop:Lists username and password of administrators http://target/search.asp?strSQL=[SQL Injection] AeNovoWYSI:Lists username and password of administrators http://target/search.asp?strSQL=[SQL Injection] Solution: -------------------- No patch`s released yet by vendor. This advisory is reported to Vendor about one month ago. More Detail: -------------------- http://www.kapda.ir/advisory-78.html Visit above link for more details. Credit : -------------------- Farhad Koosha & Devil_box devil_box [at} kapda.ir farhadkey [at} kapda.ir Kapda - Security Science Researchers Insitute of Iran http://www.KAPDA.ir (PersianHacker.NET)