Ok3w News Publishing System Vulnerability Analysis

Author: Tosec Information Security Team
Reprinted
I think the Source Code related to the article length will not be sent. If you are interested, you can click Baidu.
First, we have a simple view of this system. The following is a description.


The main pages that users can browse are:

List. views the list page of each Asp channel page

View page of show. Asp content page

About. Asp Information Page

Guest. Asp visitor message page

The above is the page viewed by 90% users. Other pages are not marked



Continue to view the website structure and find that the structure is clear, so that managers can easily operate and modify their trust information.

At the same time. asp provides some security solutions for page data submission and filtering, for example, empty judgment and Numerical verification for list ID data. asp performs insecure character replacement and other security measures on submitted data.



I. Direct address on the database connection page



When we directly access the/AppCode/conn. asp address, the following error occurs:

Obtain sensitive information about the website:

· Error Type:
Microsoft JET Database Engine (0x80004005)
C: Documents and SettingsCmder Desktop \ Ok3w_AspNewsAppCodeDbOk3w #30. asa is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/Security analysis/AppCode/conn. asp, Row 3

· Browser type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6;. net clr 1.1.4322)

· Webpage:
GET/security analysis/AppCode/conn. asp

On the conn. asp page, we can see that there is no relevant database connection information on the page. The following is the page source code:

<! -- # Include file = "SysConfig. asp" -->

... (N sentences are omitted)

Conn. Open ConnStr

End Sub

%>

View the sysconfig. asp page based on the page information.

The database address is set here. After viewing the address, the address does exist and there is no error. You can modify and add relevant information the day after tomorrow.

Cause of the vulnerability:

The designer sets conn. put the asp file in the appcode directory, and you may want to hide the conn. asp Sensitive information. If the file call information is not properly set, the relevant information can be directly viewed.


Repair solution:

If the following statement is set to conn. asp

C & Server. MapPath (dbdns & SysSiteDbPath)

Modify

C & Server. MapPath ("../Db/Ok3w # 30.asa ")

The database address will not be exposed directly, but this will cause the website to fail to browse normally. Therefore, we recommend that you place the appcode directory in the directory with the appcode and modify the inculde address to completely solve this problem.

Ii. risks caused by not filtering comments submitted

In show. there is a framework for submitting comments on the asp page. We started to try to perform security detection for this comments. on the homepage, we entered a Cross-Site Script and found that the comments must be reviewed in the background before they can be displayed, whether there are no vulnerabilities, but if we want to generate the first vulnerability, we can directly submit a trojan in the comments and obtain the final web file management permission, first, we submitted the <% execute request ("value") %> Trojan

We have written a trojan in both contacts and content, and click Submit.

I was surprised to find that the request was submitted successfully. Due to local environment problems, I was unable to directly access the ASA database. to verify the information, I checked the ASA database directly.

We have found that a single sentence has not been filtered and we have successfully submitted it. Next we can use a trojan client to connect to it.

We can obtain the final management permissions of the website.
Cause of the vulnerability:

The data submitted by post is not filtered, causing the dangerous Code submitted by the user to be directly written to the database.


Repair solution:

We can write include "anti-injection file name" on the submission page to filter submitted data and record submitted user information for our convenience, to prevent unauthorized users from obtaining web permissions, you can also directly go to function. filtering code defined in asp

Summary: programmers often cannot filter or perform related security operations on every data, which requires careful observation, this analysis report describes two mistakes that programmers often make in design!