################################################## Calisto light, light plus and full, Sql Injection And user or Admin bypass Vendor URL: http://www.calistosoft.com.ar/ Advisore: http://lostmon.blogspot.com/2011/08/calisto-light-light-plus-and-full-sql.html Vendor notify: YES exploit available: YES ################################################## ########################## Vulnerability Description ########################## Calisto Light, Light Plus and Full contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the script not properly sanitizing user-supplied input to 'usuario' form field and "txtEmail' param upon submision to 'login.aspx' and '/admin/loginAdmin.aspx' This may allow an attacker to inject or manipulate SQL queries in the backend database. ################ Versions afected ################ Calisto Light Calisto Light plus Calisto Full ###################### Proof Of Concept ###################### this issue can be used to bypass admin validation or user validation 1- If an attacker writes in 'Usuario' box: someword'or'1'='1' and click in login button. wen the aplication post to 'login.aspx' it shows a nice SQL warning but if write: someword'or'1'='1'-- it bypass validation. if anyones know a user email, then he can log as this user :) 2- If an attacker writes in 'usuario' box from admin section: Admin'or'1'='1'-- And click in login button wen the aplication post to '/admin/loginAdmin.aspx' it bypass Admin validation. :) ################ Solution ############### No solution was available at this time. I have send four emails to calistosoft via his webform and info and support mails to get initial contact but they haven't respond :( ############### Timeline ############### Discovered : 30-07-2011 Vendor Notify: 7-08-2011 Vendor response: no response. Workarround patch: no patch Vendor Patch: no patch Public Disclosure: 11-08-2011 ########################## €nd ######################## Atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....