Overview
»IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

Multiple XSS And SQL Injection Vulnerabilities In HyperStop And AlstraSoft Web Host Directory
Date Discovered: 05/25/2006
Severity: High
Applications Affected: HyperStop, WebHost Directory, 1.2 and and prior
AlstraSoft Web Host Directory version 1.2 and prior
discovered by:: luny
Synopsis
SQL injection vulnerability in the search script related to input validation error in (A) AlstraSoft Web Host Directory 1.2, aka (B) HyperStop WebHost Directory 1.2, allows remote attackers to execute arbitrary SQL commands via the uri parameter.
Recommended Actions
1. Edit the source code to ensure that input is properly sanitised.
2. There was no vendor-supplied solution at the time of entry.
Threat Analysis
1.(CVE-2006-2616) URL Injection of the search url reveals SQL Query error:
a vulnerability has been identified in AlstraSoft Web Host Directory, which can be exploited by malicious people to conduct SQL injection attacks. Input given to the "uri" parameter in the "search" script isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
For Example:http://www.example.com/demo/webhost/search/?uri='
Unknown column 'p.' in 'where clause' [SELECT COUNT(*) FROM `hsl_plan` p LEFT JOIN `hsl_host` h ON p.hid=h.hid WHERE p.status=1 AND p.``='']

2. (CVE-2006-1617)Inserting html codes in the login form:
(A) AlstraSoft Web Host Directory 1.2, aka (b) HyperStop WebHost Directory 1.2, allows remote attackers to obtain the installation path via an invalid entry in the Username field on the login page, which causes the path to be displayed in an SQL error.
For example:Inserting DIV STYLE="width: expression(alert('XSS'));" as html code produces the following full path error: Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /home/username/public_html/ demo/webhost/include/login.php on line 6

3. (CVE-2006-2618)Input data isn't filtered in the write a review box:
Cross-site scripting (XSS) vulnerability in (A) AlstraSoft Web Host Directory 1.2, aka (B) HyperStop WebHost Directory 1.2, might allow remote attackers to inject arbitrary web script or HTML via the user review box. NOTE: since user reviews do not require administrator privileges, and an auto-approve mechanism exists, this issue is a vulnerability.
This in turn can cause a XSS. For proof of concept,For example:Inserting DIV STYLE="width: expression(alert('XSS'));" as html code in as the review text and then login in as the admin and view your review. Reviews have an option to be auto approved too.
References

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2617
http://www.frsirt.com/english/advisories/2006/1972
http://secunia.com/advisories/20276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2618

Write-up by: Amit Singh
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2009 iPolicy Networks - Security Products Division of Tech Mahindra Limited | Privacy Policy | Site Map