Alstrasoft e-Friends 4.96 – Multiple Vulnerabilities

• Exploit Database
• 199 阅读

• 作者： Salvatore Fresta
  日期： 2010-10-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15335/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116

  AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities   NameAlstraSoft E-Friends Vendorhttp://www.alstrasoft.com Versions Affected 4.96   AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-10-27   X. INDEX   I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX   I. ABOUT THE APPLICATION ________________________   AlstraSoftE-Friendsisanonlinesocialnetworking software that allows you to start your own site just like Friendster and MySpace.   Other versions could be vulnerable.     II. DESCRIPTION _______________   Many parameters are not properly sanitisedbeforebeing used in SQL queries and from the PHP's upload functions.     III. ANALYSIS _____________   Summary:   A) Arbitrary File Upload B) Multiple Local File Inclusion C) Multiple SQL Injection   A) Arbitrary File Upload ________________________   An error in the tribe.php script allowsuploadof files witharbitraryextensions toafolderinside the web root when "act"issetto "show"and"trb_id" is set to a valid group identification value. The uploaded files will be copiedintothe"groups/group_name" directory, wheregroup_namecanbeobtainedfrom the vulnerable page. This can be exploitedtoexecutearbitrary PHP code by uploading a PHP file.   Example:   If the vulnerable page is the following:   index.php?mode=tribe&act=show&trb_id=103   andthegroup_nameassociated to trb_id 103 is "prcd", thenthemaliciousfile under the array $_FILE['file'] will be copied into the groups/prcd directory.     B) Multiple Local File Inclusion ________________________________   Input passed to the "lang"parameter inupdatePage.php, getStartOptions.php is not properly verified before being used to include files. This can beexploitedto include arbitraryfilesfromlocalresources viadirectory traversalattacksand URL-encoded NULL bytes.   Successful exploitation requires that register_globlas is set to On.   Itisvery probable that other PHP files are vulnerable to local file inclusion vulnerability.     C) Multiple SQL Injection _________________________   Theparameters takenfromthe cookies are not properly sanitised before being used in SQL queries. Thiscanbe exploitedtomanipulate SQL queries byinjecting arbitrary SQL code.   Some parameters are taken from theclassic$_POST/$_GET array and are not properly sanitised before being used in other SQL queries.   Successful exploitation requires that magic_quotes_gpc is set to Off.     IV. SAMPLE CODE _______________   B) Multiple Local File Inclusion   http://site/path/chat/updatePage.php?lang=../../../../../../../../../etc/passwd%00 http://site/path/chat/getStartOptions.php?lang=../../../../../../../../../etc/passwd%00     V. FIX ______   No fix.