[34206] in bugtraq
Vulnerabilities in Member Management System 2.1
daemon@ATHENA.MIT.EDU (Manuel Lopez)
Mon Mar 22 18:22:49 2004
Message-ID: <20040322201435.30662.qmail@gulo.org>
From: "Manuel Lopez" <mantra@gulo.org>
To: bugtraq@securityfocus.com
Date: Mon, 22 Mar 2004 21:14:35 +0100
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-15"
Content-Transfer-Encoding: 8bit
#Title: Vulnerabilities in Member Management System 2.1
#Software: Member Management System 2.1
#Vendor: http://www.expinion.net/software/app_mms.asp
#Impact: Disclosure of authentication information, Disclosure of user
information, Execution of arbitrary code via network, Modification of user
and admin information, User access via network.
#Underlying OS: Windows NT, Windows 2000, Windows 2003 or Windows XP
Professional/Server.
#Vendor Description:
Quickly secure pages or portions of your web site from unregistered
visitors. Easy to integrate security into existing sites! Login to admin to
send 'Expiry Notices', upload & download user data, capture member activity,
browser & os info, add optional fields, send subscriber newsletters, group &
relate people, verify email addresses…
#Vulnerabilities:
Input Validation Holes Permit SQL Injection and Cross-Site Scripting
Attacks.
#SQL Injection#
A problem of sanitation in resend.asp, news_view.asp, could lead an attacker
to inject SQL code to manipulate and disclose information from the database.
The same problem is present in administration site in more scripts.
Examples:
http://[host]/resend.asp?ID=[SQL query]
http://[host]/news_view.asp?ID=[SQL query]
#Cross-Site Scripting#
Another problem of sanitation permits an attacker inject a XSS in the
register form (register.asp), this will be executed at the administration
site permitting the attacker to modify or delete data.
Also is possible a XSS attack in error.asp.
Example:
http://[host]/error.asp?err=">[XSS]
Example to delete a user:
In the register form: "><iframe src=http://[host]/admin/user_del.asp?ID=[ID
to delete]>
#Solution:
Vendor contacted, the vulnerabilities will be addressed very soon.
Thanks to Vladimir S. Pekulas.
http://www.expinion.net/software/app_mms.asp
#Credits:
Manuel López. mantra@gulo.org
