Title: XLineSoft ASPRunner Multiple Vulnerabilities
Severity: HIGH
Description:
XLineSoft ASPRunner is a Web based application that is implemented in ASP. It is used to access and modify various databases.
ASPRunner is reported prone to multiple vulnerabilities. The reported issues include SQL injection, cross-site scripting, information disclosure and unauthorized access to database files.
The following specific issues affect the application:
It is reported that all scripts except login pages are prone to SQL injection attacks. These issues exist due to insufficient sanitization of user-supplied data. It may be possible for a remote user to inject arbitrary SQL queries into the underlying database used by the application. This could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
The application is reported prone to cross-site scripting issues as well. These issues also affect most scripts. Some of the affected scripts include '[TABLE]_search.asp', '[TABLE]_edit.asp', '[TABLE]_list.asp', and 'export.asp' where '[TABLE]' must be a valid table name in the underlying database. These issues exist due to a failure of the application to properly sanitize user-supplied input. Successful exploitation of allows an attacker to execute arbitrary script code in the browser of an unsuspecting user. This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.
Various information disclosure issues can disclose potentially sensitive information to an attacker. These include error messages and hidden fields disclosing file names, SQL queries, and other information. This information can be used by the attacker to carry out other attacks.
It is reported that due to a lack of access validation, an attacker can gain access to database files. An attacker can download database files over the web. Prior knowledge of the file name is required to carry out this attack. This can allow the attacker to disclose sensitive information and carry out other attacks.
ASPRunner versions 2.4 and prior are affect by these issues.
Affected Products:
- XLineSoft ASPRunner 1.0.0
- XLineSoft ASPRunner 2.0.0
- XLineSoft ASPRunner 2.1.0
- XLineSoft ASPRunner 2.2.0
- XLineSoft ASPRunner 2.3.0
- XLineSoft ASPRunner 2.4.0
References:
- XLineSoft: ASPRunner Product Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
