Affiliate Network Pro v7.2 SQL Injections, Arbitrary code execution, XSS ======================================================================== Software: Affiliate Network Pro v7.2 Severity: SQL Injection(s), Arbitrary code execution, XSS Risk: High Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]> Date: Nov. 15 2005 Vendor: www.alstrasoft.com Description: AlstraSoft Affiliate Network Pro is the next generation affiliate network software solution that allows you to start your own successful affiliate network just like LinkShare and Commission Junction. [http://www.alstrasoft.com/] Details: 1) /admin/admin_validate_login.php (with magic_quotes_gpc = Off) $login =(trim($_POST['login'])); // login name $passwd =(trim($_POST['passwd'])); // login passord [...] $sql ="SELECT * FROM partners_admin where admin_login='$login' AND admin_password='$passwd'"; $result =mysql_query($sql); Because of no input validation it is possible to injectio malicious code. By submitting (at the index.php login-form) with the username admin and the password ' OR '1'='1 you can log in as an administrator. 2) /admin/admin_options_manage.php $number=trim($_POST['number']); $number =$number; //Notice by auditor: Great code here ;p if($number){ $filename ="../includes/constants.php"; $fd = fopen ($filename, "r"); $contents = fread ($fd, filesize ($filename)); fclose($fd); $conts =explode("n",$contents); $n =count($conts); for ($i=0; $i<$n; $i++) { $tmp =explode("=",$conts[$i]); $tmp1 =trim($tmp[0]); if($tmp1=="$"."lines"){ $conts[$i] =str_replace($lines,$number,$conts[$i]); continue; } } $fd = fopen ($filename, "w"); $cont1 =implode("n",$conts); fwrite($fd,$cont1); fclose($fd); Because the input of $_POST['numbers'] is not validated you can write each code you want into the /includes/constants.php file. Example input to view a phpinfo() each time the /includes/constant.php is included or accessed: 0; phpinfo() 3) /admin/index.php XSS Vulnerability Via the $Err - which is not validated against XSS - you can insert HTML-Code /admin/index.php?Err=<script>alert('foobar');</script> 4) /index.php?Act=register XSS Vulnerabilities Same as in the /admin/index.php file - all fields in the register-form like $firstname, $lastname or $fax are vulnernable to XSS-attacks. /index.php?Act=register&firstname=<script>alert('weeow :D');</script> /index.php?Act=register&lastname=<script>alert('weeow :D');</script> 5) /login_validate.php (with magic_quotes_gpc = Off) $login =trim($_POST['login']); //login email id $passwd =trim($_POST['password']); //password $flag =trim($_POST['flag']); //differentiate merchant and affiliate $sql ="SELECT * FROM partners_login where login_email='$login' AND login_password='$passwd' and login_flag='$type'"; $result =mysql_query($sql); Like in the admin-login-form the user-input isn't validated here, too. Same dimension - you can log in as an random user or insert malicious code. 6) /togateway.php Path disclosure Because of the insufficient check if a file is direct access or not you can disclose here the path of the affiliate application. This file is only an exmaple, nearly EVERY file who shouldn't be access trough direct browsing can be access directly ! There are a few more SQL-Injections in this software, too much too count them all here. Patch: Best way to secure Affiliate Network Pro is to set magic_quotes_gpc in the php.ini ON or to insert a global addslashes for the User-submitted variables. Credits: Credit goes to Robin Verton References: [1] http://www.alstrasoft.com/affiliate.htm [2] http://myblog.it-security23.net