[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Affiliate Network Pro v7.2 SQL Injections, Arbitrary code
From:       r.verton () gmail ! com
Date:       2005-11-15 17:44:01
Message-ID: 20051115174401.4554.qmail () securityfocus ! com
[Download RAW message or body]

Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS 
========================================================================


   Software: Affiliate Network Pro v7.2
   Severity: SQL Injection(s), Arbitrary code execution, XSS
   Risk: High
   Author: Robin Verton <r.verton@gmail.com>
   Date: Nov. 15 2005
   Vendor: www.alstrasoft.com


   Description:

	AlstraSoft Affiliate Network Pro is the next generation affiliate network software \
solution that allows   you to start your own successful affiliate network just like \
LinkShare and Commission Junction.  [http://www.alstrasoft.com/]


   Details:

	1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)  

    	   $login			=(trim($_POST['login']));         //  login name
    	   $passwd			=(trim($_POST['passwd']));        //  login passord

	   [...] 

           $sql           ="SELECT * FROM partners_admin where admin_login='$login' \
AND admin_password='$passwd'";  $result        =mysql_query($sql);
	   
	   Because of no input validation it is possible to injectio malicious code. By \
submitting (at the index.php login-form)  with the username admin and the password ' \
OR '1'='1 you can log in as an administrator.  

	2) /admin/admin_options_manage.php

	  
          $number=trim($_POST['number']);
	  $number        =$number;		//Notice by auditor: Great code here ;p
    	  if($number){
          	$filename  ="../includes/constants.php";
          	$fd = fopen ($filename, "r");
          	$contents = fread ($fd, filesize ($filename));
          	fclose($fd);

                $conts        =explode("\n",$contents);
            	$n        =count($conts);
            	for ($i=0; $i<$n; $i++) {
           		$tmp        =explode("=",$conts[$i]);
           		$tmp1        =trim($tmp[0]);

           		if($tmp1=="$"."lines"){
                            $conts[$i]        \
=str_replace($lines,$number,$conts[$i]);  continue;
            		}
           }

           $fd = fopen ($filename, "w");
           $cont1  =implode("\n",$conts);
           fwrite($fd,$cont1);
           fclose($fd);

	   Because the input of $_POST['numbers'] is not validated you can write each code \
you want into the /includes/constants.php file.  Example input to view a phpinfo() \
each time the /includes/constant.php is included or accessed:

	   0; phpinfo()
	   

	3) /admin/index.php XSS Vulnerability

	   Via the $Err - which is not validated against XSS -  you can insert HTML-Code 

	   /admin/index.php?Err=<script>alert('foobar');</script>

        4) /index.php?Act=register XSS Vulnerabilities
	
	   Same as in the /admin/index.php file - all fields in the register-form like \
$firstname, $lastname or $fax are vulnernable to XSS-attacks. 

	   /index.php?Act=register&firstname=<script>alert('weeow :D');</script>
	   /index.php?Act=register&lastname=<script>alert('weeow :D');</script>

	5) /login_validate.php  (with magic_quotes_gpc = Off)

           $login                =trim($_POST['login']);       //login email id
           $passwd               =trim($_POST['password']);    //password
           $flag                 =trim($_POST['flag']);        //differentiate \
merchant and affiliate

	   $sql        ="SELECT * FROM partners_login where login_email='$login' AND \
login_password='$passwd' and login_flag='$type'";  $result     =mysql_query($sql);

	   Like in the admin-login-form the user-input isn't validated here, too. Same \
dimension -  you can log in as an random user or  insert malicious code.

	6) /togateway.php Path disclosure
           
           Because of the insufficient check if a file is direct access or not you \
can disclose here the path of the affiliate application.  This file is only an \
exmaple, nearly EVERY file who shouldn't be access trough direct browsing can be \
access directly !

	 

	There are a few more SQL-Injections in this software, too much too count them all \
here.  
	   
   Patch:
          Best way to secure Affiliate Network Pro is to set magic_quotes_gpc in the \
php.ini ON or to insert a global addslashes for the  User-submitted variables.
  
   Credits:

	Credit goes to Robin Verton

   References:

	[1] http://www.alstrasoft.com/affiliate.htm
	[2] http://myblog.it-security23.net


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic