addalink - exploit.company

vendor:

addalink

by:

Pepelux

CVSS

CRITICAL

Unauthenticated Remote Code Execution

CWE

Product Name: addalink

Affected Version From: <= 4 - beta

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2008

addalink <= 4 - beta / Write approved links without a previous moderation by the admin

The addalink <= 4 - beta program is vulnerable to unauthenticated remote code execution. By modifying the URL parameters, an attacker can bypass the moderation process and insert links without approval. The vulnerability lies in the add_link.php file, where the SQL query does not properly validate the 'approved' and 'counter' values, allowing an attacker to inject their own values into the query. This can lead to unauthorized links being published on the website and potential code execution. The vulnerability can be exploited by modifying the URL parameters and adding '&approved=1&email=my@email.com&description=blablablablablablabla&category_id=1' to bypass the approval process and insert links without moderation. The 'counter' value can also be manipulated to alter the visit counter.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the addalink program. The vendor should fix the SQL query to properly validate the 'approved' and 'counter' values, and ensure that the moderation process is enforced. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
addalink <= 4 - beta / Write approved links without a previous moderation by the admin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

$ Program: addalink
$ Version: <= 4 - beta
$ File affected: add_link.php
$ Download: http://sourceforge.net/projects/addalink/


Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org

Linklist is a miniwebsite that you can use in your webpage. Basically it 
manages a database of links using PHP+MySQL. Users can send links (url, 
description, etc) by a form and one admin has to approve or delete the 
links before the publication in the website.

One not very important problem is that add_link.php doesn't test the 
method used (GET or POST). But the real problem is the method to insert 
some values. 

Reading the code you can see the SQL sentence:

INSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',
            '$counter=0','$description','$ip','$date','$category_id','0')";

It asign values to approved and counter directly in the SQL sentence. For that,
you can enter links approved without moderation writing this:

http://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link
&approved=1&email=my@email.com&description=blablablablablablabla&category_id=1

Also you can alter the counter of visits if you add &counter=XXXX to the GET


-= Solution =-


$approved = 0;
$counter = 0;

INSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',
            '$counter','$description','$ip','$date','$category_id','0')";

# milw0rm.com [2008-09-17]