affiliateNetwork.txt

2005-11-20T00:00:00
ID PACKETSTORM:41655
Type packetstorm
Reporter Robin Verton
Modified 2005-11-20T00:00:00

Description

                                        
                                            `Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS   
========================================================================  
  
  
Software: Affiliate Network Pro v7.2  
Severity: SQL Injection(s), Arbitrary code execution, XSS  
Risk: High  
Author: Robin Verton <r.verton@gmail.com>  
Date: Nov. 15 2005  
Vendor: www.alstrasoft.com  
  
  
Description:  
  
AlstraSoft Affiliate Network Pro is the next generation affiliate network software solution that allows   
you to start your own successful affiliate network just like LinkShare and Commission Junction.  
[http://www.alstrasoft.com/]  
  
  
Details:  
  
1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)   
  
$login =(trim($_POST['login'])); // login name  
$passwd =(trim($_POST['passwd'])); // login passord  
  
[...]   
  
$sql ="SELECT * FROM partners_admin where admin_login='$login' AND admin_password='$passwd'";  
$result =mysql_query($sql);  
  
Because of no input validation it is possible to injectio malicious code. By submitting (at the index.php login-form)  
with the username admin and the password ' OR '1'='1 you can log in as an administrator.  
  
  
2) /admin/admin_options_manage.php  
  
  
$number=trim($_POST['number']);  
$number =$number; //Notice by auditor: Great code here ;p  
if($number){  
$filename ="../includes/constants.php";  
$fd = fopen ($filename, "r");  
$contents = fread ($fd, filesize ($filename));  
fclose($fd);  
  
$conts =explode("\n",$contents);  
$n =count($conts);  
for ($i=0; $i<$n; $i++) {  
$tmp =explode("=",$conts[$i]);  
$tmp1 =trim($tmp[0]);  
  
if($tmp1=="$"."lines"){  
$conts[$i] =str_replace($lines,$number,$conts[$i]);  
continue;  
}  
}  
  
$fd = fopen ($filename, "w");  
$cont1 =implode("\n",$conts);  
fwrite($fd,$cont1);  
fclose($fd);  
  
Because the input of $_POST['numbers'] is not validated you can write each code you want into the /includes/constants.php file.  
Example input to view a phpinfo() each time the /includes/constant.php is included or accessed:  
  
0; phpinfo()  
  
  
3) /admin/index.php XSS Vulnerability  
  
Via the $Err - which is not validated against XSS - you can insert HTML-Code   
  
/admin/index.php?Err=<script>alert('foobar');</script>  
  
4) /index.php?Act=register XSS Vulnerabilities  
  
Same as in the /admin/index.php file - all fields in the register-form like $firstname, $lastname or $fax are vulnernable to XSS-attacks.   
  
/index.php?Act=register&firstname=<script>alert('weeow :D');</script>  
/index.php?Act=register&lastname=<script>alert('weeow :D');</script>  
  
5) /login_validate.php (with magic_quotes_gpc = Off)  
  
$login =trim($_POST['login']); //login email id  
$passwd =trim($_POST['password']); //password  
$flag =trim($_POST['flag']); //differentiate merchant and affiliate  
  
$sql ="SELECT * FROM partners_login where login_email='$login' AND login_password='$passwd' and login_flag='$type'";  
$result =mysql_query($sql);  
  
Like in the admin-login-form the user-input isn't validated here, too. Same dimension - you can log in as an random user or  
insert malicious code.  
  
6) /togateway.php Path disclosure  
  
Because of the insufficient check if a file is direct access or not you can disclose here the path of the affiliate application.  
This file is only an exmaple, nearly EVERY file who shouldn't be access trough direct browsing can be access directly !  
  
  
  
There are a few more SQL-Injections in this software, too much too count them all here.  
  
  
Patch:  
Best way to secure Affiliate Network Pro is to set magic_quotes_gpc in the php.ini ON or to insert a global addslashes for the  
User-submitted variables.  
  
Credits:  
  
Credit goes to Robin Verton  
  
References:  
  
[1] http://www.alstrasoft.com/affiliate.htm  
[2] http://myblog.it-security23.net  
`