<<< Date Index >>>     <<< Thread Index >>>

Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS



Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS 
========================================================================


   Software: Affiliate Network Pro v7.2
   Severity: SQL Injection(s), Arbitrary code execution, XSS
   Risk: High
   Author: Robin Verton <r.verton@xxxxxxxxx>
   Date: Nov. 15 2005
   Vendor: www.alstrasoft.com


   Description:

        AlstraSoft Affiliate Network Pro is the next generation affiliate 
network software solution that allows 
        you to start your own successful affiliate network just like LinkShare 
and Commission Junction.
        [http://www.alstrasoft.com/]


   Details:

        1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)  

           $login                       =(trim($_POST['login']));         //  
login name
           $passwd                      =(trim($_POST['passwd']));        //  
login passord

           [...] 

           $sql           ="SELECT * FROM partners_admin where 
admin_login='$login' AND admin_password='$passwd'";
           $result        =mysql_query($sql);
           
           Because of no input validation it is possible to injectio malicious 
code. By submitting (at the index.php login-form)
           with the username admin and the password ' OR '1'='1 you can log in 
as an administrator.
           

        2) /admin/admin_options_manage.php

          
          $number=trim($_POST['number']);
          $number        =$number;              //Notice by auditor: Great code 
here ;p
          if($number){
                $filename  ="../includes/constants.php";
                $fd = fopen ($filename, "r");
                $contents = fread ($fd, filesize ($filename));
                fclose($fd);

                $conts        =explode("\n",$contents);
                $n        =count($conts);
                for ($i=0; $i<$n; $i++) {
                        $tmp        =explode("=",$conts[$i]);
                        $tmp1        =trim($tmp[0]);

                        if($tmp1=="$"."lines"){
                            $conts[$i]        
=str_replace($lines,$number,$conts[$i]);
                            continue;
                        }
           }

           $fd = fopen ($filename, "w");
           $cont1  =implode("\n",$conts);
           fwrite($fd,$cont1);
           fclose($fd);

           Because the input of $_POST['numbers'] is not validated you can 
write each code you want into the /includes/constants.php file.
           Example input to view a phpinfo() each time the 
/includes/constant.php is included or accessed:

           0; phpinfo()
           

        3) /admin/index.php XSS Vulnerability

           Via the $Err - which is not validated against XSS -  you can insert 
HTML-Code 

           /admin/index.php?Err=<script>alert('foobar');</script>

        4) /index.php?Act=register XSS Vulnerabilities
        
           Same as in the /admin/index.php file - all fields in the 
register-form like $firstname, $lastname or $fax are vulnernable to 
XSS-attacks. 

           /index.php?Act=register&firstname=<script>alert('weeow :D');</script>
           /index.php?Act=register&lastname=<script>alert('weeow :D');</script>

        5) /login_validate.php  (with magic_quotes_gpc = Off)

           $login                =trim($_POST['login']);       //login email id
           $passwd               =trim($_POST['password']);    //password
           $flag                 =trim($_POST['flag']);        //differentiate 
merchant and affiliate

           $sql        ="SELECT * FROM partners_login where 
login_email='$login' AND login_password='$passwd' and login_flag='$type'";
           $result     =mysql_query($sql);

           Like in the admin-login-form the user-input isn't validated here, 
too. Same dimension -  you can log in as an random user or
           insert malicious code.

        6) /togateway.php Path disclosure
           
           Because of the insufficient check if a file is direct access or not 
you can disclose here the path of the affiliate application.
           This file is only an exmaple, nearly EVERY file who shouldn't be 
access trough direct browsing can be access directly !

         

        There are a few more SQL-Injections in this software, too much too 
count them all here.
           
           
   Patch:
          Best way to secure Affiliate Network Pro is to set magic_quotes_gpc 
in the php.ini ON or to insert a global addslashes for the
          User-submitted variables.
  
   Credits:

        Credit goes to Robin Verton

   References:

        [1] http://www.alstrasoft.com/affiliate.htm
        [2] http://myblog.it-security23.net