[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Affiliate Network Pro v7.2 SQL Injections, Arbitrary code
From: r.verton () gmail ! com
Date: 2005-11-15 17:44:01
Message-ID: 20051115174401.4554.qmail () securityfocus ! com
[Download RAW message or body]
Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS
========================================================================
Software: Affiliate Network Pro v7.2
Severity: SQL Injection(s), Arbitrary code execution, XSS
Risk: High
Author: Robin Verton <r.verton@gmail.com>
Date: Nov. 15 2005
Vendor: www.alstrasoft.com
Description:
AlstraSoft Affiliate Network Pro is the next generation affiliate network software \
solution that allows you to start your own successful affiliate network just like \
LinkShare and Commission Junction. [http://www.alstrasoft.com/]
Details:
1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)
$login =(trim($_POST['login'])); // login name
$passwd =(trim($_POST['passwd'])); // login passord
[...]
$sql ="SELECT * FROM partners_admin where admin_login='$login' \
AND admin_password='$passwd'"; $result =mysql_query($sql);
Because of no input validation it is possible to injectio malicious code. By \
submitting (at the index.php login-form) with the username admin and the password ' \
OR '1'='1 you can log in as an administrator.
2) /admin/admin_options_manage.php
$number=trim($_POST['number']);
$number =$number; //Notice by auditor: Great code here ;p
if($number){
$filename ="../includes/constants.php";
$fd = fopen ($filename, "r");
$contents = fread ($fd, filesize ($filename));
fclose($fd);
$conts =explode("\n",$contents);
$n =count($conts);
for ($i=0; $i<$n; $i++) {
$tmp =explode("=",$conts[$i]);
$tmp1 =trim($tmp[0]);
if($tmp1=="$"."lines"){
$conts[$i] \
=str_replace($lines,$number,$conts[$i]); continue;
}
}
$fd = fopen ($filename, "w");
$cont1 =implode("\n",$conts);
fwrite($fd,$cont1);
fclose($fd);
Because the input of $_POST['numbers'] is not validated you can write each code \
you want into the /includes/constants.php file. Example input to view a phpinfo() \
each time the /includes/constant.php is included or accessed:
0; phpinfo()
3) /admin/index.php XSS Vulnerability
Via the $Err - which is not validated against XSS - you can insert HTML-Code
/admin/index.php?Err=<script>alert('foobar');</script>
4) /index.php?Act=register XSS Vulnerabilities
Same as in the /admin/index.php file - all fields in the register-form like \
$firstname, $lastname or $fax are vulnernable to XSS-attacks.
/index.php?Act=register&firstname=<script>alert('weeow :D');</script>
/index.php?Act=register&lastname=<script>alert('weeow :D');</script>
5) /login_validate.php (with magic_quotes_gpc = Off)
$login =trim($_POST['login']); //login email id
$passwd =trim($_POST['password']); //password
$flag =trim($_POST['flag']); //differentiate \
merchant and affiliate
$sql ="SELECT * FROM partners_login where login_email='$login' AND \
login_password='$passwd' and login_flag='$type'"; $result =mysql_query($sql);
Like in the admin-login-form the user-input isn't validated here, too. Same \
dimension - you can log in as an random user or insert malicious code.
6) /togateway.php Path disclosure
Because of the insufficient check if a file is direct access or not you \
can disclose here the path of the affiliate application. This file is only an \
exmaple, nearly EVERY file who shouldn't be access trough direct browsing can be \
access directly !
There are a few more SQL-Injections in this software, too much too count them all \
here.
Patch:
Best way to secure Affiliate Network Pro is to set magic_quotes_gpc in the \
php.ini ON or to insert a global addslashes for the User-submitted variables.
Credits:
Credit goes to Robin Verton
References:
[1] http://www.alstrasoft.com/affiliate.htm
[2] http://myblog.it-security23.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic