ASPPortal multiple .asp scripts allow SQL injection

aspportal-multiple-aspscripts-sql-injection (25346) The risk level is classified as MediumMedium Risk

Description:

ASPPortal is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the download_click.asp script using the 'downloadid' parameter or to the News_Item.asp script using the 'content_ID' parameter to obtain the administrative password and login. Once admin access is gained on the system, multiple admin scripts could be used for SQL injection, which could allow the attacker to add, modify, or delete information in the back-end database with SYSTEM privileges.

Platforms Affected:

  • ASP Portal, ASP Portal 3.1.1

Remedy:

Upgrade to the latest version of ASPPorta (3.1.2 or later), available from the ASPPorta Web site. See References.

Consequences:

Data Manipulation

References:

  • ASPPortal Web page, ASP Portal: Fast, Flexible and Easy to Use at http://www.aspportal.net/content/home/default1.asp.
  • Full-Disclosure Mailing List, Tue Mar 21 2006 - 14:29:02 CST, ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities at http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1402.html.
  • BID-17174: ASP Portal Multiple SQL Injection Vulnerabilities
  • CVE-2006-1353: Multiple SQL injection vulnerabilities in ASPPortal 3.1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the downloadid parameter in download_click.asp and (2) content_ID parameter in news/News_Item.asp; authenticated administrators can also conduct attacks via (3) user_id parameter to users/add_edit_user.asp, (4) bannerid parameter to banner_adds/banner_add_edit.asp, (5) cat_id parameter to categories/add_edit_cat.asp, (6) Content_ID parameter to News/add_edit_news.asp, (7) download_id parameter to downloads/add_edit_download.asp, (8) Poll_ID parameter to poll/add_edit_poll.asp, (9) contactid parameter to contactus/contactus_add_edit.asp, (10) sortby parameter to poll/poll_list.asp, and (11) unspecified inputs to downloads/add_edit_download.asp.
  • OSVDB ID: 24020: ASP Portal download_click.asp downloadid Variable SQL Injection
  • OSVDB ID: 24084: ASP Portal News_Item.asp content_ID Variable SQL Injection
  • OSVDB ID: 24085: ASP Portal add_edit_user.asp user_id Variable SQL Injection
  • OSVDB ID: 24086: ASP Portal banner_add_edit.asp bannerid Variable SQL Injection
  • OSVDB ID: 24087: ASP Portal add_edit_cat.asp cat_id Variable SQL Injection
  • OSVDB ID: 24088: ASP Portal add_edit_news.asp Content_ID Variable SQL Injection
  • OSVDB ID: 24089: ASP Portal contactus_add_edit.asp contactid Variable SQL Injection
  • OSVDB ID: 24090: ASP Portal add_edit_poll.asp Poll_ID Variable SQL Injection
  • OSVDB ID: 24091: ASP Portal poll_list.asp sortby Variable SQL Injection
  • OSVDB ID: 24092: ASP Portal add_edit_download.asp download_id Variable SQL Injection
  • SA19286: ASPPortal "downloadid" SQL Injection Vulnerability
  • VUPEN/ADV-2006-1014: ASPPortal downloadid Parameter Handling Remote SQL Injection Vulnerability

Reported:

Mar 21, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page