Alstrasoft e-Friends 4.96 – Multiple Vulnerabilities

• Exploit Database
• 84 阅读

• 作者： Salvatore Fresta
  日期： 2010-10-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15335/

• AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities
  
   NameAlstraSoft E-Friends
   Vendorhttp://www.alstrasoft.com
   Versions Affected 4.96
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-10-27
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   
  
  I. ABOUT THE APPLICATION
  ________________________
  
  AlstraSoftE-Friendsisanonlinesocialnetworking
  software that allows you to start your own site just like
  Friendster and MySpace.
  
  Other versions could be vulnerable.
  
  
  II. DESCRIPTION
  _______________
  
  Many parameters are not properly sanitisedbeforebeing
  used in SQL queries and from the PHP's upload functions.
  
  
  III. ANALYSIS
  _____________
  
  Summary:
  
   A) Arbitrary File Upload
   B) Multiple Local File Inclusion
   C) Multiple SQL Injection
   
  
  A) Arbitrary File Upload
  ________________________
  
  An error in the tribe.php script allowsuploadof files
  witharbitraryextensions toafolderinside the web
  root when "act"issetto "show"and"trb_id" is set
  to a valid group identification value. The uploaded files 
  will be copiedintothe"groups/group_name" directory,
  wheregroup_namecanbeobtainedfrom the vulnerable
  page. This can be exploitedtoexecutearbitrary
  PHP code by uploading a PHP file.
  
  Example:
  
  If the vulnerable page is the following:
  
  index.php?mode=tribe&act=show&trb_id=103
  
  andthegroup_nameassociated to trb_id 103 is "prcd",
  thenthemaliciousfile under the array $_FILE['file']
  will be copied into the groups/prcd directory.
  
  
  B) Multiple Local File Inclusion
  ________________________________
  
  Input passed to the "lang"parameter inupdatePage.php,
  getStartOptions.php is not properly verified before being
  used to include files. This can beexploitedto include
  arbitraryfilesfromlocalresources viadirectory 
  traversalattacksand URL-encoded NULL bytes.
  
  Successful exploitation requires that register_globlas is
  set to On.
  
  Itisvery probable that other PHP files are vulnerable
  to local file inclusion vulnerability.
  
  
  C) Multiple SQL Injection
  _________________________
  
  Theparameters takenfromthe cookies are not properly
  sanitised before being used in SQL queries. Thiscanbe
  exploitedtomanipulate SQL queries byinjecting
  arbitrary SQL code.
  
  Some parameters are taken from theclassic$_POST/$_GET
  array and are not properly sanitised before being used in
  other SQL queries.
  
  Successful exploitation requires that magic_quotes_gpc is
  set to Off.
  
  
  IV. SAMPLE CODE
  _______________
  
  B) Multiple Local File Inclusion
  
  http://site/path/chat/updatePage.php?lang=../../../../../../../../../etc/passwd%00
  http://site/path/chat/getStartOptions.php?lang=../../../../../../../../../etc/passwd%00
  
  
  V. FIX
  ______
  
  No fix.