Security Advisory: CyberBuild vuln. - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  JSBoard XSS vulnerability
  VHCS --- Virtual Hosting Control System Cross Site Scripting
  [SA19922] CGI:IRC client.c Buffer Overflow Vulnerability
  Blog Mod <= 0.2.x SQL Injection

From: r0t <krustevs_(at)_googlemail.com>
Date: 02.05.2006
Subject: CyberBuild vuln.

CyberBuild vuln.

###############################################
Vuln. discovered by : r0t
Date: 1 may 2006
vendorlink:www.smartwin.com.au/cyberbuild.htm
affected versions:last
orginal advisory:http://pridels.blogspot.com/2006/05/cyberbuild-vuln.html
###############################################

Vuln. Description:

1. SQL injection.

CyberOffice Warehouse Builder contains a flaw that allows a remote sql
injection attacks.Input passed to the "SessionID" parameter in "login.asp"
and input passed to the "ProductIndex" parameter in "browse0.htm" isn't
properly sanitised before being used in a SQL query. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/login.asp?SessionID=[SQL]
/browse0.htm?ProductIndex=[SQL]

2. XSS
contains a flaw that allows a remote cross site scripting attack. This flaw
exists because input passed to the "SessionID" parameter in "login.asp" and
input passed to the "ProductIndex" parameter in "browse0.htm" and input
passed to the "rowcolor","heading" parameter in "/include/result.asp" isn't
properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship between the
browser and the server, leading to a loss of integrity.

examples:

/login.asp?SessionID=[XSS]

/browse0.htm?ProductIndex=[XSS]

/include/result.asp?debug=print&cols=3&lineco
lor=%23AAAAAA&menu=category&body=bodyblue&bol
d=bodyheading&hlcolor=%2388C4FF&bgcolor=%23E
0FFE0&menucolor=%23E0FFE0&hdcolor=%23B0B0B0&
idcolor=%23FFFFFF&header=bodywhite&rowcolor=[XSS]

/include/result.asp?debug=print&cols=3&linec
olor=%23AAAAAA&menu=category&body=bodyblue&b
old=bodyheading&hlcolor=%2388C4FF&bgcolor=%2
3E0FFE0&menucolor=%23E0FFE0&hdcolor=%23B0B0
B0&idcolor=%23FFFFFF&header=bodywhite&rowco
lor=%23E0FFE0&row=bodyblack&label=bodyblue&
heading=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

test server