AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities
Name AlstraSoft E-Friends
Vendor http://www.alstrasoft.com
Versions Affected 4.96
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-10-27
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
AlstraSoft E-Friends is an online social networking
software that allows you to start your own site just like
Friendster and MySpace.
Other versions could be vulnerable.
II. DESCRIPTION
_______________
Many parameters are not properly sanitised before being
used in SQL queries and from the PHP's upload functions.
III. ANALYSIS
_____________
Summary:
A) Arbitrary File Upload
B) Multiple Local File Inclusion
C) Multiple SQL Injection
A) Arbitrary File Upload
________________________
An error in the tribe.php script allows upload of files
with arbitrary extensions to a folder inside the web
root when "act" is set to "show" and "trb_id" is set
to a valid group identification value. The uploaded files
will be copied into the "groups/group_name" directory,
where group_name can be obtained from the vulnerable
page. This can be exploited to execute arbitrary
PHP code by uploading a PHP file.
Example:
If the vulnerable page is the following:
index.php?mode=tribe&act=show&trb_id=103
and the group_name associated to trb_id 103 is "prcd",
then the malicious file under the array $_FILE['file']
will be copied into the groups/prcd directory.
B) Multiple Local File Inclusion
________________________________
Input passed to the "lang" parameter in updatePage.php,
getStartOptions.php is not properly verified before being
used to include files. This can be exploited to include
arbitrary files from local resources via directory
traversal attacks and URL-encoded NULL bytes.
Successful exploitation requires that register_globlas is
set to On.
It is very probable that other PHP files are vulnerable
to local file inclusion vulnerability.
C) Multiple SQL Injection
_________________________
The parameters taken from the cookies are not properly
sanitised before being used in SQL queries. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Some parameters are taken from the classic $_POST/$_GET
array and are not properly sanitised before being used in
other SQL queries.
Successful exploitation requires that magic_quotes_gpc is
set to Off.
IV. SAMPLE CODE
_______________
B) Multiple Local File Inclusion
http://site/path/chat/updatePage.php?lang=../../../../../../../../../etc/passwd%00
http://site/path/chat/getStartOptions.php?lang=../../../../../../../../../etc/passwd%00
V. FIX
______
No fix.