Multiple vulnerabilities in phpAdsNew

2005.11.11
Credit: Toni Koivunen
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-3645 | CVE-2005-3646
CWE: N/A

Title: Multiple vulnerabilities in phpAdsNew Date: 10.11.2005 ID: FS-05-01 Author: Toni Koivunen (toni.koivunen (at) fitsec.com) Synopsis: phpAdsNew has a path disclosure vulnerability which allows a potential attacker to learn the path where phpAdsNew is installed Background: phpAdsNew is a banner management and tracking system written in PHP. Affected versions: Atleast 2.0.6, most likely others versions also. Description: Vuln 1: Full Path Disclosure in create.php If user can access the misc/revisions/create.php, the script will echo the whole installation path to the user: "Starting scan at /var/www/mysite/html/ads" If the revision script completes successfully, the user can then try to access libraries/defaults/revisions.txt, which will then reveal all files and their revisions and hashes, thus furthermore revealing all files that have been manually modified by the site admin. The revisions.txt will also reveal any file that has been added under the installation tree, unless it's hidden (starts with '.') Vuln 2: Full Path Disclosures in the following files (Just by accessing with browser) admin/lib-updates.inc.php admin/lib-targetstats.inc.php admin/lib-size.inc.php admin/lib-misc-stats.inc.php admin/lib-hourly-hosts.inc.php admin/lib-hourly.inc.php admin/lib-history.inc.php admin/graph-daily.php Vuln 3: SQL-injection in logout.php / lib-sessions.inc.php phpAdsNew doesn't properly validate the sessionID it receives from cookie when it tries to log out the user. And it doesn't even check if the user if really logged in in the first place, thus allowing unauthorized users to feed data into the SQL-query that's supposed to clean the phpads_session -table. Take into note though that this requires magic_quotes_gpc to be off. Impact: A remote attacker could exploit this to learn installation paths on server, as well as to locate new files and possible manually modified files. If magic_quotes_gpc is off, a remote attacker can also compromise the integrity of the database. Solution: Update to the newest version Acknowledgements: To the community at dievo.org, keep it up :)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top