full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Insufficient User Input Va

[Full-disclosure] Insufficient User Input Validation in VP-ASP 6.50 Demo Code

From: CodeScan Labs Advisories <advisories_at_nospam>
Date: Wed Jan 20 2010 - 22:33:26 GMT
To: "full-disclosure@lists.grok.org.uk" <full-disclosure@lists.grok.org.uk>


  • CodeScan Advisory, codescan.com <advisories@codescan.com>
    =
  • Insufficient User Input Validation in VP-ASP 6.50 Demo Code
    =
  • Vendor Website:
  • http://www.vpasp.com/
    =
  • Affected Version:
  • VP-ASP Shopping Cart 6.50 Demo Code And Earlier
    =
  • Researched By
  • CodeScan Labs <advisories@codescan.com>
    =
  • Public disclosure on January 21st, 2010
 
  • Overview ==

CodeScan Labs (http://www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input.

During the ongoing testing of CodeScan ASP, VP-ASP was selected as one of the test applications. We downloaded a demo of VP-ASP from the VP-ASP website http://www.vpasp.com/virtprog/paypal.htm.

 This advisory is the result of research into the security of VP-ASP, based on the report generated by the CodeScan tool.

  • Vulnerability Details ==
    • SQL Injection *

An SQL Injection vulnerability is caused by assigning a variable from client data, for example in file shopsessionsubs.asp in Function Getwebsess:

        userid=cleanchars(request("websess"))
and:

        userid = Request.Cookies(cookiename)

In Sub ResponseCookies variable userid is assigned to variable websess by a call to Getwebsess and variable websess is concatenated with other data to construct an SQL statement:

        cookiesql="Select * from sitesessions where sessionkey='" & websess & "'"

This SQL statement is used in a call to ADODB.Connection.Execute:

        set cookiers=cookiedbc.execute(cookiesql)

The function cleanchars makes a security check on the input, but this check is based on a blacklist of bad characters that could be used in SQL statements; it is better to use a whitelist of allowed characters, as it is easy to overlook possible bad characters.

  • Cross Site Scripting and Arbitrary File Access *

Cross Site Scripting and Arbitrary File Access vulnerabilities are caused by assigning a variable from client data in file shopsessionsubs.asp, in Sub CookielessGenerateFilename:

        ipaddress = Request.Servervariables("REMOTE_HOST")

Variable ipaddress is concatenated with other data in Sub CookielessGenerateFilename to construct a variable filename: tempname=prefix & "_" & mm & dd & yy & "_" & Ipaddress tempname=tempname & ".txt" tempname=xsavesessionfilefolder & "\" & tempname filename=tempname

Variable filename is used in calls to Scripting.FileSystemObject.OpenTextFile and Response.Write in Sub CookielessReadFile:

        Set Myfile = fso.OpenTextFile(filename, 1, false) and:

        response.write "<b>" & "unable to open file" & filename & "<br>" & err.description & "</b>"

These vulnerabilities do not depend on direct user input, but a hacker could tamper with the REMOTE_HOST server variable or with cookies to supply malicious input.  

  • Credit ==

Discovered and advised to the vendor by CodeScan Labs

  • About CodeScan Labs Ltd ==

CodeScan Labs is a specialist security research and development organisation, that has developed the cornerstone application, CodeScan. CodeScan Labs helps organisations secure their web services through the automated scanning of the web application source code for security vulnerabilities. The CodeScan product is currently available for ASP, ASP.NET C# and PHP

CodeScan Labs operates with Responsible Disclosure where appropriate. As a result, any published advisories will contain information around problems identified by CodeScan, that have been resolved by the vendor. Additional code problems which may be identified by CodeScan or its staff which are not resolved by the vendor may not be made publicly available. -- This message has been scanned for viruses and dangerous content by Bizo EmailFilter, and is believed to be clean. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/