Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS
Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS
========================================================================
Software: Affiliate Network Pro v7.2
Severity: SQL Injection(s), Arbitrary code execution, XSS
Risk: High
Author: Robin Verton <r.verton@xxxxxxxxx>
Date: Nov. 15 2005
Vendor: www.alstrasoft.com
Description:
AlstraSoft Affiliate Network Pro is the next generation affiliate
network software solution that allows
you to start your own successful affiliate network just like LinkShare
and Commission Junction.
[http://www.alstrasoft.com/]
Details:
1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)
$login =(trim($_POST['login'])); //
login name
$passwd =(trim($_POST['passwd'])); //
login passord
[...]
$sql ="SELECT * FROM partners_admin where
admin_login='$login' AND admin_password='$passwd'";
$result =mysql_query($sql);
Because of no input validation it is possible to injectio malicious
code. By submitting (at the index.php login-form)
with the username admin and the password ' OR '1'='1 you can log in
as an administrator.
2) /admin/admin_options_manage.php
$number=trim($_POST['number']);
$number =$number; //Notice by auditor: Great code
here ;p
if($number){
$filename ="../includes/constants.php";
$fd = fopen ($filename, "r");
$contents = fread ($fd, filesize ($filename));
fclose($fd);
$conts =explode("\n",$contents);
$n =count($conts);
for ($i=0; $i<$n; $i++) {
$tmp =explode("=",$conts[$i]);
$tmp1 =trim($tmp[0]);
if($tmp1=="$"."lines"){
$conts[$i]
=str_replace($lines,$number,$conts[$i]);
continue;
}
}
$fd = fopen ($filename, "w");
$cont1 =implode("\n",$conts);
fwrite($fd,$cont1);
fclose($fd);
Because the input of $_POST['numbers'] is not validated you can
write each code you want into the /includes/constants.php file.
Example input to view a phpinfo() each time the
/includes/constant.php is included or accessed:
0; phpinfo()
3) /admin/index.php XSS Vulnerability
Via the $Err - which is not validated against XSS - you can insert
HTML-Code
/admin/index.php?Err=<script>alert('foobar');</script>
4) /index.php?Act=register XSS Vulnerabilities
Same as in the /admin/index.php file - all fields in the
register-form like $firstname, $lastname or $fax are vulnernable to
XSS-attacks.
/index.php?Act=register&firstname=<script>alert('weeow :D');</script>
/index.php?Act=register&lastname=<script>alert('weeow :D');</script>
5) /login_validate.php (with magic_quotes_gpc = Off)
$login =trim($_POST['login']); //login email id
$passwd =trim($_POST['password']); //password
$flag =trim($_POST['flag']); //differentiate
merchant and affiliate
$sql ="SELECT * FROM partners_login where
login_email='$login' AND login_password='$passwd' and login_flag='$type'";
$result =mysql_query($sql);
Like in the admin-login-form the user-input isn't validated here,
too. Same dimension - you can log in as an random user or
insert malicious code.
6) /togateway.php Path disclosure
Because of the insufficient check if a file is direct access or not
you can disclose here the path of the affiliate application.
This file is only an exmaple, nearly EVERY file who shouldn't be
access trough direct browsing can be access directly !
There are a few more SQL-Injections in this software, too much too
count them all here.
Patch:
Best way to secure Affiliate Network Pro is to set magic_quotes_gpc
in the php.ini ON or to insert a global addslashes for the
User-submitted variables.
Credits:
Credit goes to Robin Verton
References:
[1] http://www.alstrasoft.com/affiliate.htm
[2] http://myblog.it-security23.net