exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

affiliateNetwork.txt

affiliateNetwork.txt
Posted Nov 20, 2005
Authored by Robin Verton

Affiliate Network Pro version 7.2 suffers from SQL injection, code execution, and cross site scripting flaws.

tags | exploit, code execution, xss, sql injection
SHA-256 | b68e33f43a3e04ebcaa708511893cd0724696a199e0423be9e92141c50125a03

affiliateNetwork.txt

Change Mirror Download
Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS 
========================================================================


Software: Affiliate Network Pro v7.2
Severity: SQL Injection(s), Arbitrary code execution, XSS
Risk: High
Author: Robin Verton <r.verton@gmail.com>
Date: Nov. 15 2005
Vendor: www.alstrasoft.com


Description:

AlstraSoft Affiliate Network Pro is the next generation affiliate network software solution that allows
you to start your own successful affiliate network just like LinkShare and Commission Junction.
[http://www.alstrasoft.com/]


Details:

1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off)

$login =(trim($_POST['login'])); // login name
$passwd =(trim($_POST['passwd'])); // login passord

[...]

$sql ="SELECT * FROM partners_admin where admin_login='$login' AND admin_password='$passwd'";
$result =mysql_query($sql);

Because of no input validation it is possible to injectio malicious code. By submitting (at the index.php login-form)
with the username admin and the password ' OR '1'='1 you can log in as an administrator.


2) /admin/admin_options_manage.php


$number=trim($_POST['number']);
$number =$number; //Notice by auditor: Great code here ;p
if($number){
$filename ="../includes/constants.php";
$fd = fopen ($filename, "r");
$contents = fread ($fd, filesize ($filename));
fclose($fd);

$conts =explode("\n",$contents);
$n =count($conts);
for ($i=0; $i<$n; $i++) {
$tmp =explode("=",$conts[$i]);
$tmp1 =trim($tmp[0]);

if($tmp1=="$"."lines"){
$conts[$i] =str_replace($lines,$number,$conts[$i]);
continue;
}
}

$fd = fopen ($filename, "w");
$cont1 =implode("\n",$conts);
fwrite($fd,$cont1);
fclose($fd);

Because the input of $_POST['numbers'] is not validated you can write each code you want into the /includes/constants.php file.
Example input to view a phpinfo() each time the /includes/constant.php is included or accessed:

0; phpinfo()


3) /admin/index.php XSS Vulnerability

Via the $Err - which is not validated against XSS - you can insert HTML-Code

/admin/index.php?Err=<script>alert('foobar');</script>

4) /index.php?Act=register XSS Vulnerabilities

Same as in the /admin/index.php file - all fields in the register-form like $firstname, $lastname or $fax are vulnernable to XSS-attacks.

/index.php?Act=register&firstname=<script>alert('weeow :D');</script>
/index.php?Act=register&lastname=<script>alert('weeow :D');</script>

5) /login_validate.php (with magic_quotes_gpc = Off)

$login =trim($_POST['login']); //login email id
$passwd =trim($_POST['password']); //password
$flag =trim($_POST['flag']); //differentiate merchant and affiliate

$sql ="SELECT * FROM partners_login where login_email='$login' AND login_password='$passwd' and login_flag='$type'";
$result =mysql_query($sql);

Like in the admin-login-form the user-input isn't validated here, too. Same dimension - you can log in as an random user or
insert malicious code.

6) /togateway.php Path disclosure

Because of the insufficient check if a file is direct access or not you can disclose here the path of the affiliate application.
This file is only an exmaple, nearly EVERY file who shouldn't be access trough direct browsing can be access directly !



There are a few more SQL-Injections in this software, too much too count them all here.


Patch:
Best way to secure Affiliate Network Pro is to set magic_quotes_gpc in the php.ini ON or to insert a global addslashes for the
User-submitted variables.

Credits:

Credit goes to Robin Verton

References:

[1] http://www.alstrasoft.com/affiliate.htm
[2] http://myblog.it-security23.net
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close