Blaze Apps Multiple Vulnerabilities
##########################www.BugReport.ir##################################=
######
#
# AmnPardaz Security Research Team
#
# Title:=09=09Blaze Apps Multiple Vulnerabilities
# Vendor:=09=09http://blazeapps.codeplex.com
# Vulnerable Version:=091.4.0.051909 (and prior versions)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
############################################################################=
#######
####################
- Description:
####################
Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and =20
C# as backend languages
and uses Microsoft SQL Server as its DBMS.
####################
- Vulnerability:
####################
+--> MS SQL Server 2005 SQL Injection
+--/-- 1>
=09There is an SQL Injection vulenarability in the site search module.
=09The code can be find in "<SRC_DIR>/BlazeApps/Usercontrols/Search.ascx" fi=
le.
=09Submitting search criteria will cause subroutine "uxSubmitButton_Click"
=09in the file "<SRC_DIR>/BlazeApps/Usercontrols/Search.ascx.vb" to be execu=
ted.
=09Then it will use "uxSearchTextBox" input element value (POST Variable) an=
d
=09the "tagname" input value (POST Variable) without escaping, in a query.
=09The exact place of injection bug is at lines 67 and 69.
=09NOTE: In query creating phase, all security notes are maintained. In the =
file
=09"<SRC_DIR>/BlazeApps.Library/Search/PageSearch.cs" at lines 20 and 30 the
=09query parameters are all escaped in a prepared sql statement.
=09But (only) in the search module, the where clause is created manually bef=
ore
=09reaching the DB utility code!!!
+--/-- 2>
=09In the "<SRC_DIR>/BlazeApps/App_Code/BlazeKBSVC.vb" file at lines 19 and =
37
=09the "SearchString" function parameter is not escaped before using in =20
the query.
=09Again the bug is (only) from the high level logic code and the =20
underlying db utility
=09escape everything correctly.
+--> Stored XSS Vulnerablity
=09The post page of the site's forum save posts without any check on the inp=
ut.
=09In file "<SRC_DIR>/BlazeApps/Usercontrols/Forum/addpost.ascx.vb" line 121
=09the "uxAddPostTextbox" input value is not sanitiezd.
####################
- Exploits/PoCs:
####################
+--> Exploiting SQL Injection Vulnerablites:
=09You can use "aa' OR **** OR 'a'=3D'1" injection vector for exploiting =20
above bugs (replacing
=09the **** with a desired query). For exp. "aa' OR 1=3D1 OR '1'=3D'1" will =
=20
show everything
=09in the search response page.
=09This vulenarability can be used for extracting admin password by =20
Blind SQL Injection.
=09Using "aa' OR @Condition OR 'a'=3D'1" as the injection vector, the =20
result page for the search
=09will be empty if @Condition be false and will show all links if =20
@Condition be true.
=09So we can replace @Condition with a query like
=09 EXISTS (SELECT * FROM blazedb.dbo.aspnet_Membership WHERE =20
(LEN(Password) < 32) AND UserId=3D??)
=09and then brout force on the length and then on each character of the =20
password (Of course
=09we need first extract the user id from username by another query like =20
above and then fill ?? with
=09the user id of the admin which is the same process).
+--> Exploiting The Stored XSS Vulnerablity:
=09It can be exploited by posting a vector like "<script>alert('Stored =20
XSS')</script>" to the forum.
=09(see "<SRC_DIR>/BlazeApps/Usercontrols/Forum/addpost.ascx.vb")
####################
- Solution:
####################
Edit the source code to ensure that inputs are properly sanitized for =20
SQL injection.
For the XSS you should whitelist the input messages.
####################
- Original Advisory:
####################
http://www.bugreport.ir/index_66.htm
####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com