EV0138.txt

EV0138.txt: Posted Sep 14, 2006; Authored by Aliaksandr Hartsuyeu | Site evuln.com; NX5Linkx version 1.0 suffers from arbitrary file disclosure, multiple SQL injection, and HTTP response splitting vulnerabilities.; tags | exploit, web, arbitrary, vulnerability, sql injection; advisories | CVE-2006-4503, CVE-2006-4504, CVE-2006-4505; SHA-256 | 767ede366b554aeb6bf350b179f671e5cd739145acf7762bd05061614695ac0b; Download | Favorite | View

EV0138.txt

New eVuln Advisory:
NX5Linkx Multiple Vulnerabilities
http://evuln.com/vulns/138/summary.html

--------------------Summary----------------
eVuln ID: EV0138
CVE: CVE-2006-4503 CVE-2006-4504 CVE-2006-4505
Vendor: NX5
Vendor's Web Site: http://nx5ware.nx5.org/
Software: NX5Linkx
Sowtware's Web Site: http://nx5ware.nx5.org/links.php
Versions: 1.0
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
PoC/Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. Arbitrary file disclosure Vulnerability 

Vulnerable script: link.php 

Parameter logo is not properly sanitized. It used as full local path to
logo filename. Script do the copy of this file in logos directory. This
directory is available from the web. 
This can be used to read arbitrary files. 


2. Multiple SQL Injections. 

Vulnerable scripts: The name of those scripts are defined by webmaster.
First - (a) displays links list. Second - (b) "out" script which do the
redirections when someone clicks on link 

Parameters c(script "a"), l(script "b") are not properly sanitized
before being used in SQL query. This can be used to make any SQL query
or make a HTTP response-splitting attack by injecting arbitrary SQL
code. 

Condition: magic_quotes_gpc = off 


3. HTTP Response Splitting. 

Vulnerable Script: link.php 

Parameter url is not properly sanitized. This can be used to make HTTP
Response Splitting attack. 



--------------PoC/Exploit----------------------
Available at: http://evuln.com/vulns/138/exploit.html


1. Arbitrary file disclosure Example.

URL: http://host/link.php
Logo URL: /etc/passwd

This file can be downloaded using the link:
http://host/logos/N.
N - ID of the link


2. SQL Injection Examples.

http://host/links.php? c=999'% 20union%20select% 201,222/*
http://host/out.php? l=999' union select 1,1,'http://google.com', 1,1,1,1/*



3. HTTP Response Splitting.

URL: http://host/link.php
URL(in form): http://host.com% 0D%0A%0D%0AHTTP/1.0 200 OK%0D%0A%0D% 0A.......

--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)


Regards,
Aliaksandr Hartsuyeu
http://evuln.com - Penetration Testing Services
.

Top Authors In Last 30 Days

Red Hat 219 files
Ubuntu 55 files
LiquidWorm 20 files
Debian 18 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,158)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,830)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,245)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,969)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

EV0138.txt

EV0138.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

EV0138.txt

Share This

EV0138.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems