by r0t,der4444,cembo,VietMafia

Tuesday, April 18, 2006

xFlow v5.x multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendorlink:http://www.skymarx.com/affiliate_software.html
affected versions:v5.46.11 and previous
###############################################


Product info:

After over five years of development, the xFlow has become an industry leader amongst membership management softwares, and will continue to dominate. With version 6 in development (written in PHP) and our expanding premier business services, the xFlow and Skymarx Solutions will soon be rivaling the largest software providers in the world.
Designed with flexibility in mind, you can easily customize the xFlow to your exact business needs. Packaged with tons of features, the xFlow contains everything you need to successfully start your own membership based business, or manage a large corporation: customizable member database, full genealogy tracking, transaction system, reporting features, powerful Member's Only Area, support for 28+ payment processors, plus much more.

###############################################



Vuln. Description:





1. SQL inj. vuln.

xFlow contains a flaw that allows a remote sql injection attacks.Input passed to the "position","id" parameters in "index.cgi" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=Direct&position=1[SQL]


/members_only/index.cgi?id=[SQL]&username=r0t&seed=
TfgNxKhyqEELQQQKizBWyVShdbOpfugMaQhpuGqI




2. XSS vuln.

xFlow contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "level","position","id","action","page" paremeter in "index.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:


/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=[XSS]&position=10


/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=Direct&position=1[XSS]

/members_only/index.cgi?id=[XSS]&username=r0t&seed=
TfgNxKhyqEELQQQKizBWyVShdbOpfugMaQhpuGqI

/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action
=[XSS]&level=&position=10

/customer_area/index.cgi?id=1&username=r0t&seed=
pWltDqcPcLuedZnXTwCNWldbpJmQANHFHfFvveFY&page=[XSS]



3.Full Path Disclosure & info

examples:

/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action
=[CODE]&level=&position=10

/customer_area/index.cgi?id=1&username=r0t&seed=
pWltDqcPcLuedZnXTwCNWldbpJmQANHFHfFvveFY&page=[CODE]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew