Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Insufficient User Input Validation in VP-ASP 6.50 Demo Code
From: CodeScan Labs Advisories <advisories () codescan com>
Date: Thu, 21 Jan 2010 11:33:26 +1300

========================================================================

= CodeScan Advisory, codescan.com <advisories () codescan com>
=
= Insufficient User Input Validation in VP-ASP 6.50 Demo Code
=
= Vendor Website:
= http://www.vpasp.com/
=
= Affected Version:
=    VP-ASP Shopping Cart 6.50 Demo Code And Earlier
=
= Researched By
=    CodeScan Labs <advisories () codescan com>
=
= Public disclosure on January 21st, 2010

========================================================================

 
== Overview ==

CodeScan Labs (http://www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.

During the ongoing testing of CodeScan ASP, VP-ASP was selected as one of 
the test applications. We downloaded a demo of VP-ASP from the VP-ASP
website http://www.vpasp.com/virtprog/paypal.htm.

 This advisory is the result of research into the security of VP-ASP,
based on the report generated by the CodeScan tool.

== Vulnerability Details ==

* SQL Injection *

An SQL Injection vulnerability is caused by assigning a variable from client 
data, for example in file shopsessionsubs.asp in Function Getwebsess:

        userid=cleanchars(request("websess"))
and:
        userid = Request.Cookies(cookiename)

In Sub ResponseCookies variable userid is assigned to variable websess by a 
call to Getwebsess and variable websess is concatenated with other data to 
construct an SQL statement: 

        cookiesql="Select * from sitesessions where sessionkey='" & websess & "'"

This SQL statement is used in a call to ADODB.Connection.Execute:

        set cookiers=cookiedbc.execute(cookiesql)

The function cleanchars makes a security check on the input, but this check is 
based on a blacklist of bad characters that could be used in SQL statements; 
it is better to use a whitelist of allowed characters, as it is easy to 
overlook possible bad characters.

* Cross Site Scripting and Arbitrary File Access *

Cross Site Scripting and Arbitrary File Access vulnerabilities are caused by 
assigning a variable from client data in file shopsessionsubs.asp, in 
Sub CookielessGenerateFilename:

        ipaddress = Request.Servervariables("REMOTE_HOST") 

Variable ipaddress is concatenated with other data in 
Sub CookielessGenerateFilename to construct a variable filename:

        tempname=prefix & "_" & mm & dd & yy & "_" & Ipaddress
        tempname=tempname & ".txt"
        tempname=xsavesessionfilefolder & "\" & tempname
        filename=tempname

Variable filename is used in calls to Scripting.FileSystemObject.OpenTextFile 
and Response.Write in Sub CookielessReadFile:

        Set Myfile = fso.OpenTextFile(filename, 1, false)
and: 
        response.write "<b>" &  "unable to open file" & filename  & "<br>" & err.description & "</b>"

These vulnerabilities do not depend on direct user input, but a hacker could 
tamper with the REMOTE_HOST server variable or with cookies to supply malicious 
input.
 
== Credit ==

Discovered and advised to the vendor by CodeScan Labs

== About CodeScan Labs Ltd ==

CodeScan Labs is a specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities.  The CodeScan product is currently available for ASP, ASP.NET C#
and PHP

CodeScan Labs operates with Responsible Disclosure where appropriate. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor. Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor may not be made publicly available.
-- 
This message has been scanned for viruses and
dangerous content by Bizo EmailFilter, and is
believed to be clean.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Insufficient User Input Validation in VP-ASP 6.50 Demo Code CodeScan Labs Advisories (Jan 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault