[FS-05-01] Multiple vulnerabilities in phpAdsNew

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [FS-05-01] Multiple vulnerabilities in phpAdsNew
From: Toni Koivunen <toni.koivunen@xxxxxxxxxx>
Date: Thu, 10 Nov 2005 08:59:26 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 0.8 (X11/20041020)

_________________________________________
Security Advisory
_________________________________________
http://www.fitsec.com/advisories
_________________________________________

  Severity: Low/Medium
  Title: Multiple vulnerabilities in phpAdsNew
  Date: 10.11.2005
  ID: FS-05-01
  Author: Toni Koivunen (toni.koivunen (at) fitsec.com)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis:

phpAdsNew has a path disclosure vulnerability which allows a potential
attacker to learn the path where phpAdsNew is installed

Background:

phpAdsNew is a banner management and tracking system written in PHP.

Affected versions:

Atleast 2.0.6, most likely others versions also.

Description:

Vuln 1:
Full Path Disclosure in create.php

If user can access the misc/revisions/create.php, the script will
echo the whole installation path to the user:
"Starting scan at /var/www/mysite/html/ads"
If the revision script completes successfully, the user can then
try to access libraries/defaults/revisions.txt, which will then
reveal all files and their revisions and hashes, thus furthermore
revealing all files that have been manually modified by the site admin.

The revisions.txt will also reveal any file that has been added under
the installation tree, unless it's hidden (starts with '.')

Vuln 2:
Full Path Disclosures in the following files (Just by accessing with browser)

admin/lib-updates.inc.php
admin/lib-targetstats.inc.php
admin/lib-size.inc.php
admin/lib-misc-stats.inc.php
admin/lib-hourly-hosts.inc.php
admin/lib-hourly.inc.php
admin/lib-history.inc.php
admin/graph-daily.php

Vuln 3:
SQL-injection in logout.php / lib-sessions.inc.php

phpAdsNew doesn't properly validate the sessionID it receives from
cookie when it tries to log out the user. And it doesn't even check
if the user if really logged in in the first place, thus allowing 
unauthorized users to feed data into the SQL-query that's supposed to 
clean the phpads_session -table.
Take into note though that this requires magic_quotes_gpc to be off.


Impact:

A remote attacker could exploit this to learn installation paths on
server, as well as to locate new files and possible manually modified
files.

If magic_quotes_gpc is off, a remote attacker can also compromise the
integrity of the database.

Solution:

Update to the newest version


Acknowledgements:
To the community at dievo.org, keep it up :)

Prev by Date: MDKSA-2005:210 - Updated w3c-libwww packages fixes DoS vulnerability.
Next by Date: [SECURITY] [DSA 892-1] New awstats packages fix arbitrary command execution
Previous by thread: MDKSA-2005:210 - Updated w3c-libwww packages fixes DoS vulnerability.
Next by thread: [SECURITY] [DSA 892-1] New awstats packages fix arbitrary command execution
Index(es):
- Date
- Thread