AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities

vendor:

E-Friends

by:

Salvatore Fresta aka Drosophila

7.5

CVSS

HIGH

Arbitrary File Upload, Multiple Local File Inclusion, Multiple SQL Injection

File Upload, Path Traversal, SQL Injection

CWE

Product Name: E-Friends

Affected Version From: 4.96

Affected Version To: 4.96

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2010

AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities

The AlstraSoft E-Friends 4.96 software is vulnerable to arbitrary file upload, multiple local file inclusion, and multiple SQL injection attacks. The software does not properly sanitize input parameters before using them in SQL queries and PHP's upload functions. An attacker can exploit these vulnerabilities to upload and execute arbitrary PHP code, include arbitrary files from local resources, and perform SQL injection attacks.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize input parameters before using them in SQL queries and file inclusion functions. Additionally, implement proper file upload validation and security measures to prevent arbitrary file uploads. Regularly update the software to the latest version to fix any known vulnerabilities.

Source

Exploit-DB raw data:

AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities

 Name              AlstraSoft E-Friends
 Vendor            http://www.alstrasoft.com
 Versions Affected 4.96

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-10-27

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

AlstraSoft  E-Friends  is  an  online  social  networking
software that allows you to start your own site just like
Friendster and MySpace.

Other versions could be vulnerable.


II. DESCRIPTION
_______________

Many parameters are not properly sanitised  before  being
used in SQL queries and from the PHP's upload functions.


III. ANALYSIS
_____________

Summary:

 A) Arbitrary File Upload
 B) Multiple Local File Inclusion
 C) Multiple SQL Injection
 

A) Arbitrary File Upload
________________________

An error in the tribe.php script allows  upload  of files
with  arbitrary  extensions to  a  folder  inside the web
root when "act"  is  set  to "show"  and  "trb_id" is set
to a valid group identification value. The uploaded files 
will be copied  into  the  "groups/group_name" directory,
where  group_name  can  be  obtained  from the vulnerable
page. This   can   be   exploited  to  execute  arbitrary
PHP code by uploading a PHP file.

Example:

If the vulnerable page is the following:

index.php?mode=tribe&act=show&trb_id=103

and  the  group_name  associated to trb_id 103 is "prcd",
then  the  malicious  file under the array $_FILE['file']
will be copied into the groups/prcd directory.


B) Multiple Local File Inclusion
________________________________

Input passed to the "lang"  parameter in  updatePage.php,
getStartOptions.php is not properly verified before being
used to include files. This can be  exploited  to include
arbitrary  files  from  local  resources   via  directory 
traversal  attacks  and URL-encoded NULL bytes.

Successful exploitation requires that register_globlas is
set to On.

It  is  very probable that other PHP files are vulnerable
to local file inclusion vulnerability.


C) Multiple SQL Injection
_________________________

The  parameters taken  from  the cookies are not properly
sanitised before being used in SQL queries. This  can  be
exploited  to  manipulate   SQL   queries   by  injecting
arbitrary SQL code.

Some parameters are taken from the  classic  $_POST/$_GET
array and are not properly sanitised before being used in
other SQL queries.

Successful exploitation requires that magic_quotes_gpc is
set to Off.


IV. SAMPLE CODE
_______________

B) Multiple Local File Inclusion

http://site/path/chat/updatePage.php?lang=../../../../../../../../../etc/passwd%00
http://site/path/chat/getStartOptions.php?lang=../../../../../../../../../etc/passwd%00


V. FIX
______

No fix.