Hi,
I've written a test for the VIEWSTATE vulnerability reported in the
PRADO Component Framework
(http://www.xisc.com/forum/viewtopic.php?t=1477,
http://secunia.com/advisories/15220/)
The script first of all tries to confirm that the site being checked was
generated by PRADO by looking
for the hidden __VIEWSTATE form control. It then does a POST containing
a VIEWSTATE with
an invalid HMAC. Patched Prado versions (2.0.1+) will reject this with a
"ViewState data is corrupted"
error, whereas vulnerable versions (which do not use any HMAC
verification) will report an unserialize()
error.
Does anybody have any suggestions as to how this script and others like
it could be applied against
pages other than the server root, that is to other pages found while
spidering the server?
Any comments are welcome...
Regards,
Hubert Seiwert, Internet Security Specialist
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031
I've written a test for the VIEWSTATE vulnerability reported in the
PRADO Component Framework
(http://www.xisc.com/forum/viewtopic.php?t=1477,
http://secunia.com/advisories/15220/)
The script first of all tries to confirm that the site being checked was
generated by PRADO by looking
for the hidden __VIEWSTATE form control. It then does a POST containing
a VIEWSTATE with
an invalid HMAC. Patched Prado versions (2.0.1+) will reject this with a
"ViewState data is corrupted"
error, whereas vulnerable versions (which do not use any HMAC
verification) will report an unserialize()
error.
Does anybody have any suggestions as to how this script and others like
it could be applied against
pages other than the server root, that is to other pages found while
spidering the server?
Any comments are welcome...
Regards,
Hubert Seiwert, Internet Security Specialist
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031