Aardvark Topsites PHP 5.2.1 security vulnerabilities disclosure


Some months ago, working in a site with Aardvark Topsites PHP application, I found a couple of information disclosure vulnerabilities and an HTML injection(Cross-site scripting) vulnerability.

.

Now I have some time and after some emails with the application developer I decided to report it and publish here.

.

There are easy to fix bugs and I hope that helps to improve this application security.

.

All of them are caused by lack of input verification and sanitization.

.

Affected versions: 5.2.1 and older

Publishing disclosure date: April 2009

.

Exploit details:

.


.

HTML Injection / XSS

(up to version 5.2.0)
For example, is possible to inject a link to any URL with any anchor text.

POC: /index.php?a=search&q=psstt+security”><a+href%3Dhttp%3A%2F%2Fwebsec.id3as.com>Web-Application-Security

.

Information Disclosure 1

(up to version 5.2.1)
Disclosure of full path of the application sources when you put a negative number at the ‘start’ parameter.

POC: /index.php?a=search&q=psstt&start=-4

.

Information Disclosure 2

(up to version 5.2.0)
Disclosure of full path of the application sources and some source code too when you put an non-existent user at ‘u’ parameter.

POC: /index.php?a=rate&u=nonexistentuser

.


Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • Meneame
  • MisterWong
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • TwitThis

, , , , ,

  1. #1 by Martyn - April 4th, 2010 at 04:51

    running 5.2.1 here – I fixed the information disclosure 1 problem by adding a check for the start value being less than zero in search.php as follows

    old code….

    if (isset($FORM['start'])) {
    $start = intval($FORM['start']);
    if ($start > 0) {
    $start–;
    }
    else {
    $start = 0;
    }

    new code….

    if (isset($FORM['start'])) {
    $start = intval($FORM['start']);
    if ($start > 0) {
    $start–;
    }
    if ($start < 0) {
    $start = 0;
    }
    else {
    $start = 0;
    }

  2. #2 by Per - April 3rd, 2013 at 21:05

    I had this vulnerability in one of my sites, I found the IP address of the manipulated request but then I realized that is an open HTTP proxy. Do you know how can I do to find the real IP of the attacker?

    I found the IP address, it is from USA country and is published in this HTTP proxy list site. I don’t know if that information is useful but I wrote here just in case. In that site there are several proxy IPs and I think that any of them could be used to do an HTTP request, I think that is not going to be easy to find the origin of the request.

    One more question, do you know if it’s so easy to use proxy lists from any country and make requests to other web sites without exposing your real IP?

    Thanks in advance!
    Per

(will not be published)

  1. No trackbacks yet.