IHS

klouw rates this entry 10 out of 10.
Submitted: 2004-08-03 00:00:00
Added by: klouw
Hits: 10031
Score: 10

ASP Nuke is an open-source software application for running a community-based web site on a web server. By open-source, we mean the code is freely available for others to read, modify and use in accordance with the software license. The requirements for the ASP Nuke content management system are: 1. Microsoft SQL Server 2000 and 2. Microsoft Internet Information Server (IIS) 5.0 (http://www.aspnuke.com/)On 30 Dec. 2003 the hackers Cobac and Alnitak discovered a bug in Asp Nuke (version 1.2, 1.3, and 1.4)Problem : the file addurl-inc.asp included in the file gotourl.asp does not sanitize the input vars and make SQL injection possible.For a examples check the original advisory posted to a spanish forum: http://66.102.11.104/search?q=cache:10-ze5DIJ-UJ:www.elhacker.net/foro/index.php%3Ftopic%3D11830.0%3Bprev_next%3Dprev%22&hl=en(link broken in two lines, glue them together first :-)An attacker can obtain the user and admin passwords by crafting a SQL statement.

2004-08-05 09:42:24 (Anonymous):
This is another vulnerability with aspnuke sites:

Thanks to Klouw for this addition.

2004-08-05 15:35:33 (Anonymous):
very good!

2005-01-25 02:19:43 (Mephisto):
If you want it in english go here:http://babelfish.altavista.com/babelfish/trurl_pagecontent?url=http%3A%2F%2F66.102.11.104%2Fsearch%3Fq%3Dcache%3A10-ze5DIJ-UJ%3Awww.elhacker.net%2Fforo%2Findex.php%253Ftopic%253D11830.0%253Bprev_next%253Dprev%2522%26hl%3Den&lp=es_en

2005-02-27 04:34:51 (anlino):
stupid —-! Not google, nor altavista, or any searchwebpages save their url’s! Good one, anyway. a nine.