Alstrasoft e-Friends 4.96 - Multiple Vulnerabilities

AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities

 Name              AlstraSoft E-Friends
 Vendor            http://www.alstrasoft.com
 Versions Affected 4.96

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-10-27

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

AlstraSoft  E-Friends  is  an  online  social  networking
software that allows you to start your own site just like
Friendster and MySpace.

Other versions could be vulnerable.


II. DESCRIPTION
_______________

Many parameters are not properly sanitised  before  being
used in SQL queries and from the PHP's upload functions.


III. ANALYSIS
_____________

Summary:

 A) Arbitrary File Upload
 B) Multiple Local File Inclusion
 C) Multiple SQL Injection
 

A) Arbitrary File Upload
________________________

An error in the tribe.php script allows  upload  of files
with  arbitrary  extensions to  a  folder  inside the web
root when "act"  is  set  to "show"  and  "trb_id" is set
to a valid group identification value. The uploaded files 
will be copied  into  the  "groups/group_name" directory,
where  group_name  can  be  obtained  from the vulnerable
page. This   can   be   exploited  to  execute  arbitrary
PHP code by uploading a PHP file.

Example:

If the vulnerable page is the following:

index.php?mode=tribe&act=show&trb_id=103

and  the  group_name  associated to trb_id 103 is "prcd",
then  the  malicious  file under the array $_FILE['file']
will be copied into the groups/prcd directory.


B) Multiple Local File Inclusion
________________________________

Input passed to the "lang"  parameter in  updatePage.php,
getStartOptions.php is not properly verified before being
used to include files. This can be  exploited  to include
arbitrary  files  from  local  resources   via  directory 
traversal  attacks  and URL-encoded NULL bytes.

Successful exploitation requires that register_globlas is
set to On.

It  is  very probable that other PHP files are vulnerable
to local file inclusion vulnerability.


C) Multiple SQL Injection
_________________________

The  parameters taken  from  the cookies are not properly
sanitised before being used in SQL queries. This  can  be
exploited  to  manipulate   SQL   queries   by  injecting
arbitrary SQL code.

Some parameters are taken from the  classic  $_POST/$_GET
array and are not properly sanitised before being used in
other SQL queries.

Successful exploitation requires that magic_quotes_gpc is
set to Off.


IV. SAMPLE CODE
_______________

B) Multiple Local File Inclusion

http://site/path/chat/updatePage.php?lang=../../../../../../../../../etc/passwd%00
http://site/path/chat/getStartOptions.php?lang=../../../../../../../../../etc/passwd%00


V. FIX
______

No fix.