Release date:
Affected Versions:
HoWave V4.1 ASP
Vulnerability description:
In the file inc/hl_manage.inc:
AdminUserId = Request. Cookies ("hl_manage") ("username") // 5th rows
......
SQL _admin = "select * from hl_admin where hl_adminuser =" & adminUserId & "" // 15th rows
The program does not filter the values obtained from cookies, resulting in injection vulnerabilities.
===
In the User_ModifyPWD.asp file:
SQL = "select * from hl_user where id =" & ReplaceBadChar (request ("ID") // 184th rows
Rs. open SQL, conn, 1, 3
The program uses the ReplaceBadChar function to filter the numeric variable ID, resulting in the injection vulnerability.
===
In the file User_Passport.asp:
SQL = "select * from hl_user where id =" & replace (request ("ID"), "", ") // 199th rows
Rs. open SQL, conn, 1, 3
The program filters only the single quotes of the numeric variable ID, resulting in injection vulnerability. <* Reference
Bug. Center. Team
*>
Temporary solution:
If you cannot install or upgrade the patch immediately, we recommend that you take the following measures to reduce the threat:
* Filter the values obtained from cookies.
===
Temporary solution:
If you cannot install or upgrade the patch immediately, we recommend that you take the following measures to reduce the threat:
* Use Clng to filter the variable ID
===
Temporary solution:
If you cannot install or upgrade the patch immediately, we recommend that you take the following measures to reduce the threat:
* Use Clng to filter the variable ID
Vendor patch:
Henglang Technology
-------------
Currently, the vendor has not provided any patches or upgrade programs. Please follow the suggestions for temporary solutions.
Http://www.jsp163.com
Test method:
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! Use a browser that can modify cookies for injection.
===
A http://www.target.com/User_ModifyPWD.asp? Action = SavePWD & ID = 1 and user = 0
===
Http://www.target.com/User_Passport.asp? Action = SavePassport & ID> 0-