Post Affiliate Pro 2.0.x Vuln.

2005-11-26T00:00:00
ID SECURITYVULNS:DOC:10373
Type securityvulns
Reporter Securityvulns
Modified 2005-11-26T00:00:00

Description

Post Affiliate Pro 2.0.x Vuln. Vuln. dicovered by : r0t Date: 26 nov. 2005 Orginal advisory:http://pridels.blogspot.com/2005/11/post-affiliate-pro-20x-vuln.html Vendor:http://www.qualityunit.com/postaffiliatepro/ affected version:2.0.4 and prior

Product description:

Very powerful affiliate software. Free installation with every purchase. Easily set up and maintain your own affiliate program. Support for all types of commissions up to 10-tiers including recurring. Customizable email notifications, mass emails to affiliates. Flexible payout functions, set minimum balance, full payout history. Approve affiliates and sales. Automatic fraud protection. Performance rewards, signup bonus. Multi-language support. Extensive reports and statistics. and much more..

Vuln. Description:

1. Input passed to the "sortorder" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2. Input passed to the "md" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources. Successful exploitation requires that "magic_quotes_gpc" is disabled.

examples:

/merchants/index.php?md=[FILE]

/postaffiliatepro/merchants/index.php?tm_userid=&tm_orderid =&tm_transtype%5B%5D=32&tm_transtype%5B%5D=1&tm_transtype%5B%5D =2&tm_transtype%5B%5D=4&tm_transtype%5B%5D=8&tm_transtype%5B%5D =16&tm_transtype%5B%5D=64&tm_status=&tm_day1=25&tm_month1=11& tm_year1=2005&tm_day2=25&tm_month2=11&tm_year2=2005&numrows= 20&filtered=1&md=[File]

/merchants/index.php?um_name=&um_surname=&um_aid=&um_status =_&numrows=20&filtered=1&md=[File]

/merchants/index.php?tm_userid=&tm_orderid=&tm_transtype%5B%5D =32&tm_transtype%5B%5D=1&tm_transtype%5B%5D=2&tm_transtype%5B%5D =4&tm_transtype%5B%5D=8&tm_transtype%5B%5D=16&tm_transtype%5B%5D =64&tm_status=&tm_day1=25&tm_month1=11&tm_year1=2005&tm_day2=25 &tm_month2=11&tm_year2=2005&numrows=20&filtered=1&md=Affiliate_ Merchants_Views_TransactionManager&type=all&list_page=0&action= &sortby=ip&sortorder=[SQL]

/merchants/index.php?um_name=&um_surname=&um_aid=&um_status=_& numrows=20&filtered=1&md=Affiliate_Merchants_Views_AffiliateMan ager&list_page=0&sortby=a.surname&action=&sortorder=[SQL]

Solution: Edit the source code to ensure that input is properly sanitised.