by r0t,der4444,cembo,VietMafia

Tuesday, April 18, 2006

Leadhound multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:http://www.leadhoundnetwork.com/
affected versions:
Leadhound "Full Remote version"
&
Leadhound LITE 2.1
###############################################



Product info:


# Secure private network - Leadhound technology is hosted in-house at Leadhound's corporate offices. To help ensure maximum performance, a dedicated high performance 128-bit SSL secured server is included as part of the licensing agreement.
# Full control over your affiliates - Each application can be reviewed for your approval, or rejection based on criteria that you set.
# Reliability - Leadhound was designed from the ground up to be fully scalable, and serve 10,000's of affiliates. Our technology is proven, reliable, and an affordable solution.
# Time to market - Save tens of thousands of Dollars in development cost, and countless hours of programming. Our technology is blended seamlessly into your current design.


###############################################

Vuln. Description:

1. Multiple SQL injection vuln.

Leadhound contains a flaws that allows a remote sql injection attacks.Input passed to the "banner" "offset" "sub" "camp_id" "login" "logged" "agent_id" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

notice: To see Wich paremeter in wich file,pleas look at examples:


/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner=[SQL]

/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner='0'&move=1&submit
ted=1&offset=[SQL]

/cgi-bin/agent_transactions_csv.pl?login=
r0t&logged=&camp_id=0&sub=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=&camp_id=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=&agent_id=[SQL]

/cgi-bin/agent_summary.pl?login=r0t&logged
=&submitted=1&offset=[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged
=[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged
=&camp_id=[SQL]


xssxssxssxssxssxssxssxssxssxssxssxssxssxssxss


2. Multiple XSS vuln.


Leadhound contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "login","logged","camp_id","banner","offset","date","dates","page", paremeters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/cgi-bin/agent_affil.pl?login=[XSS]

/cgi-bin/agent_help.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=demo&log
ged=[XSS]

/cgi-bin/agent_help_insert.pl?login=[XSS]

/cgi-bin/agent_help_insert.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/sign_out.pl?login=[XSS]

/cgi-bin/members.pl?login=[XSS]

/cgi-bin/members.pl?login=r0t&logged=[XSS]

/cgi-bin/modify_agent_1.pl?login=[XSS]

/cgi-bin/modify_agent_1.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/modify_agent_2.pl?login=[XSS]

/cgi-bin/modify_agent_2.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/modify_agent.pl?login=[XSS]

/cgi-bin/modify_agent.pl?login=r0t&logg
ed=[XSS]


/cgi-bin/agent_links.pl?login=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner='0'&move=1&s
ubmitted=1&offset=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]

/cgi-bin/agent_logoff.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=r0t&da
tes=[XSS]

/cgi-bin/agent_subaffiliates.pl?log
in=[XSS]

/cgi-bin/agent_subaffiliates.pl?login
=r0t&logged=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=&
camp_id=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=
&camp_id=0&date=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_commission_statement.pl
?login=r0t&logged=&agent_id=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=r0t&logged=[XSS]

/cgi-bin/agent_transactions.pl?login=[XSS]
/cgi-bin/agent_transactions.pl?login=r0t
&logged=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=&date=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_payment_history.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=0&date=[XSS]

/cgi-bin/agent_camp_all.pl?login=[XSS]

/cgi-bin/agent_camp_all.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_new.pl?login=[XSS]

/cgi-bin/agent_camp_new.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_notsub.pl?log
in=[XSS]

/cgi-bin/agent_camp_notsub.pl?login=
r0t&logged=[XSS]

/cgi-bin/agent_campaign.pl?login=[XSS]

/cgi-bin/agent_campaign.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login
=r0t&logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login
=[XSS]


/cgi-bin/agent_stats_det.pl?login
=r0t&dates=[XSS]

/cgi-bin/agent_stats_det.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=2&page=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_det.pl?login=[XSS]

/cgi-bin/agent_camp_sub.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_sub.pl?login=[XSS]

/cgi-bin/agent_affil_list.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_affil_list.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=r0t&
logged=[XSS]

and

In lost password field enter XSS.

/cgi-bin/lost_pwd.pl [XSS]


###############################################
PS. too much bugs , im geting very tired...:)
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew