lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051115174401.4554.qmail@securityfocus.com>
Date: 15 Nov 2005 17:44:01 -0000
From: r.verton@...il.com
To: bugtraq@...urityfocus.com
Subject: Affiliate Network Pro v7.2 SQL Injections, Arbitrary code
 execution, XSS


Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS 
========================================================================


   Software: Affiliate Network Pro v7.2
   Severity: SQL Injection(s), Arbitrary code execution, XSS
   Risk: High
   Author: Robin Verton <r.verton@...il.com>
   Date: Nov. 15 2005
   Vendor: www.alstrasoft.com


   Description:

	AlstraSoft Affiliate Network Pro is the next generation affiliate network software solution that allows 
	you to start your own successful affiliate network just like LinkShare and Commission Junction.
	[http://www.alstrasoft.com/]


   Details:

	1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)  

    	   $login			=(trim($_POST['login']));         //  login name
    	   $passwd			=(trim($_POST['passwd']));        //  login passord

	   [...] 

           $sql           ="SELECT * FROM partners_admin where admin_login='$login' AND admin_password='$passwd'";
           $result        =mysql_query($sql);
	   
	   Because of no input validation it is possible to injectio malicious code. By submitting (at the index.php login-form)
	   with the username admin and the password ' OR '1'='1 you can log in as an administrator.
	   

	2) /admin/admin_options_manage.php

	  
          $number=trim($_POST['number']);
	  $number        =$number;		//Notice by auditor: Great code here ;p
    	  if($number){
          	$filename  ="../includes/constants.php";
          	$fd = fopen ($filename, "r");
          	$contents = fread ($fd, filesize ($filename));
          	fclose($fd);

                $conts        =explode("\n",$contents);
            	$n        =count($conts);
            	for ($i=0; $i<$n; $i++) {
           		$tmp        =explode("=",$conts[$i]);
           		$tmp1        =trim($tmp[0]);

           		if($tmp1=="$"."lines"){
                            $conts[$i]        =str_replace($lines,$number,$conts[$i]);
                 	    continue;
            		}
           }

           $fd = fopen ($filename, "w");
           $cont1  =implode("\n",$conts);
           fwrite($fd,$cont1);
           fclose($fd);

	   Because the input of $_POST['numbers'] is not validated you can write each code you want into the /includes/constants.php file.
	   Example input to view a phpinfo() each time the /includes/constant.php is included or accessed:

	   0; phpinfo()
	   

	3) /admin/index.php XSS Vulnerability

	   Via the $Err - which is not validated against XSS -  you can insert HTML-Code 

	   /admin/index.php?Err=<script>alert('foobar');</script>

        4) /index.php?Act=register XSS Vulnerabilities
	
	   Same as in the /admin/index.php file - all fields in the register-form like $firstname, $lastname or $fax are vulnernable to XSS-attacks. 

	   /index.php?Act=register&firstname=<script>alert('weeow :D');</script>
	   /index.php?Act=register&lastname=<script>alert('weeow :D');</script>

	5) /login_validate.php  (with magic_quotes_gpc = Off)

           $login                =trim($_POST['login']);       //login email id
           $passwd               =trim($_POST['password']);    //password
           $flag                 =trim($_POST['flag']);        //differentiate merchant and affiliate

	   $sql        ="SELECT * FROM partners_login where login_email='$login' AND login_password='$passwd' and login_flag='$type'";
           $result     =mysql_query($sql);

	   Like in the admin-login-form the user-input isn't validated here, too. Same dimension -  you can log in as an random user or
	   insert malicious code.

	6) /togateway.php Path disclosure
           
           Because of the insufficient check if a file is direct access or not you can disclose here the path of the affiliate application.
	   This file is only an exmaple, nearly EVERY file who shouldn't be access trough direct browsing can be access directly !

	 

	There are a few more SQL-Injections in this software, too much too count them all here.
	   
	   
   Patch:
          Best way to secure Affiliate Network Pro is to set magic_quotes_gpc in the php.ini ON or to insert a global addslashes for the
          User-submitted variables.
  
   Credits:

	Credit goes to Robin Verton

   References:

	[1] http://www.alstrasoft.com/affiliate.htm
	[2] http://myblog.it-security23.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ