The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS
========================================================================
Software: Affiliate Network Pro v7.2
Severity: SQL Injection(s), Arbitrary code execution, XSS
Risk: High
Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]>
Date: Nov. 15 2005
Vendor: www.alstrasoft.com
Description:
AlstraSoft Affiliate Network Pro is the next generation affiliate network software solution that allows
you to start your own successful affiliate network just like LinkShare and Commission Junction.
[http://www.alstrasoft.com/]
Details:
1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)
$login=(trim($_POST['login'])); // login name
$passwd=(trim($_POST['passwd'])); // login passord
[...]
$sql ="SELECT * FROM partners_admin where admin_login='$login' AND admin_password='$passwd'";
$result =mysql_query($sql);
Because of no input validation it is possible to injectio malicious code. By submitting (at the index.php login-form)
with the username admin and the password ' OR '1'='1 you can log in as an administrator.
2) /admin/admin_options_manage.php
$number=trim($_POST['number']);
$number =$number;//Notice by auditor: Great code here ;p
if($number){
$filename ="../includes/constants.php";
$fd = fopen ($filename, "r");
$contents = fread ($fd, filesize ($filename));
fclose($fd);
$conts =explode("n",$contents);
$n =count($conts);
for ($i=0; $i<$n; $i++) {
$tmp =explode("=",$conts[$i]);
$tmp1 =trim($tmp[0]);
if($tmp1=="$"."lines"){
$conts[$i] =str_replace($lines,$number,$conts[$i]);
continue;
}
}
$fd = fopen ($filename, "w");
$cont1 =implode("n",$conts);
fwrite($fd,$cont1);
fclose($fd);
Because the input of $_POST['numbers'] is not validated you can write each code you want into the /includes/constants.php file.
Example input to view a phpinfo() each time the /includes/constant.php is included or accessed:
0; phpinfo()
3) /admin/index.php XSS Vulnerability
Via the $Err - which is not validated against XSS - you can insert HTML-Code
/admin/index.php?Err=<script>alert('foobar');</script>
4) /index.php?Act=register XSS Vulnerabilities
Same as in the /admin/index.php file - all fields in the register-form like $firstname, $lastname or $fax are vulnernable to XSS-attacks.
/index.php?Act=register&firstname=<script>alert('weeow :D');</script>
/index.php?Act=register&lastname=<script>alert('weeow :D');</script>
5) /login_validate.php (with magic_quotes_gpc = Off)
$login =trim($_POST['login']); //login email id
$passwd =trim($_POST['password']); //password
$flag =trim($_POST['flag']); //differentiate merchant and affiliate
$sql ="SELECT * FROM partners_login where login_email='$login' AND login_password='$passwd' and login_flag='$type'";
$result =mysql_query($sql);
Like in the admin-login-form the user-input isn't validated here, too. Same dimension - you can log in as an random user or
insert malicious code.
6) /togateway.php Path disclosure
Because of the insufficient check if a file is direct access or not you can disclose here the path of the affiliate application.
This file is only an exmaple, nearly EVERY file who shouldn't be access trough direct browsing can be access directly !
There are a few more SQL-Injections in this software, too much too count them all here.
Patch:
Best way to secure Affiliate Network Pro is to set magic_quotes_gpc in the php.ini ON or to insert a global addslashes for the
User-submitted variables.
Credits:
Credit goes to Robin Verton
References:
[1] http://www.alstrasoft.com/affiliate.htm
[2] http://myblog.it-security23.net
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum