VisualSite CMS 1.3 – Multiple Vulnerabilities

• Exploit Database
• 109 阅读

• 作者： Abysssec
  日期： 2010-09-25
• 类别：

  • webapps
  平台：

  • asp
• 来源：https://www.exploit-db.com/exploits/15106/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65

  &apos;&apos;&apos; ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/   http://www.exploit-db.com/moaub-25-visualsite-cms-multiple-vulnerabilities/ &apos;&apos;&apos;   Abysssec Inc Public Advisory Title:VisualSite CMS Multiple Vulnerabilities Affected Version :VisualSite 1.3 Discovery:www.abysssec.com Download Links :http://sourceforge.net/projects/visualsite/ Login Page :http://Example.com/Admin/Default.aspx Description : =========================================================================================== This version of Visual Site CMS have Multiple Valnerabilities : 1- Logical Bug for Lock Admin&apos;s Login 2- Persistent XSS in admin section     Logical Bug for Lock Admin&apos;s Login: ===========================================================================================   If you enter this values in Login Page (http://Example.com/Admin/Default.aspx) three times during five minutes , the Admin&apos;s login will be locked:   Username : 1&apos; or &apos;1&apos;=&apos;1 Password : foo     Vulnerable Code is in this file: ../App_Code/VisualSite/DAL.cs Ln 378: public static User GetUser(string username) { User result = null; DataTable matches = ExecuteRowset(String.Format("SELECT [ID], [Username], [Password], [LockedDate] FROM [User] WHERE [Username] = &apos;{0}&apos;", Sanitise(username))); if (matches != null && matches.Rows.Count > 0) { ... } return result; }       Persistent XSS in admin section: =========================================================================================== In Edit Section which is accessible to Admin, it is possible to enter a script in Description field that only executed in the following path and never executed in other situations:   http://Example.com/SearchResults.aspx?q={}     ===========================================================================================