AOH :: HP Unsorted M :: BU-1387.HTM

Multiple vulnerabilities in LineWeb 1.0.5



Multiple vulnerabilities in LineWeb 1.0.5
Multiple vulnerabilities in LineWeb 1.0.5



LineWeb it's a web-app to manage Lineage 2 private severs, a very known mmorpg, and allows to do action such as:=0D
=0D
Main Features:=0D
- Register=0D
- Login=0D
- Quick Login Function=0D
- Quick statistics function (server status, game server status, online players)=0D
- Statistics (login server status, game server status, players online, total accounts, total characters, total gm characters, total clans)=0D
=0D
Administrator Features:=0D
- (NEW) New administrator skin=0D
- (NEW) New server settings (Edit server settings, server rates, specs etc)=0D
- (NEW) New website settings (Title, Note from the management, Contact Email, Rankings Limit)=0D
- (NEW) Ads Management (Add, Edit & Delete)=0D
- News management (add, edit & delete)=0D
- Download management (add, edit & delete)=0D
- Login=0D
- Add administrator=0D
- Logout (of course)=0D
=0D
Member Panel Features:=0D
- Automaticly views all your current characters when you login (name, level, kills etc)=0D
- Change account password=0D
- Delete account=0D
- Logout=0D
=0D
=0D
Live Demo Front : http://demo.l2web.org/=0D 
Live Demo Admin : http://demo.l2web.org/admin/=0D 
=0D
Demo Administrator Login:=0D
user : demo=0D
password : demo123=0D
=0D
=0D
LFI:=0D
=0D
We can found this part of code on index.php=0D
=0D
=0D
=0D
=0D
Wich allows us to include local files on index.php by using the $op variable, IE: http://localhost/Lineage ACM/lineweb_1.0.5/index.php?op=../../../../../../../etc/passwd=0D 
=0D
=0D
We also can find this vuln. in /admin/index.php, IE:=0D
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=../../../../../../../etc/passwd=0D 
=0D
**************************************************=0D
=0D
Strange behavior on op=register:=0D
=0D
If we register a username twice, IE: username=o&password=12345&confirmpassword=12345&email=&submit2=Register=0D
We get: =0D
The username already exists.=0D
=0D
But if we send a long string twice, IE:=0D
username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaao&password=12345&confirmpassword=12345&email=&submit2=Register=0D
=0D
We get:=0D
Duplicate entry 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' for key 'PRIMARY'=0D
=0D
=0D
=0D
=BFSQL Injection?=0D
=0D
In admin/edit_news.php we can find this source:=0D
=0D
65 elseif(isset($_GET['newsid']))=0D
66      {=0D
67 =0D
68      $result = mysql_query("SELECT * FROM news WHERE newsid='" . $_GET['newsid'] . "'");=0D
69         while($myrow = mysql_fetch_array($result))=0D
70     {=0D
71=0D
=0D
We can observe that it doesn't make any check at all any input that we make on $newsid, so if we inject a " ' " in:=0D
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27=0D 
We get:=0D
=0D
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\wamp\www\Lineage ACM\lineweb_1.0.5\admin\edit_news.php on line 69=0D
We can find this vuln in:  edit_news.php ; edit_downloads.php y edit_ads.php. =0D
It requires magic_quotes = OFF=0D
=0D
**************************************************=0D
=0D
Edit without permission:=0D
=0D
edit_downloads.php allows us to edit any download link, without any verification at all. By doing this, we could trick the user to download an infected file.=0D
=0D
The same happens on edit_ads.php,  if we give to our URL values to ad_name y ad_content, we could get without any verification, permission to edit news:=0D
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_ads.php?ad_id=1&ad_name=a&ad_content=ARGENTINA=0D 
=0D
By doing this we could make a HTML, XSS or CSS injection.=0D
=0D
Ignacio Garrido,=0D
=0D
Argentina.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.