New eVuln Advisory: NX5Linkx Multiple Vulnerabilities http://evuln.com/vulns/138/summary.html --------------------Summary---------------- eVuln ID: EV0138 CVE: CVE-2006-4503 CVE-2006-4504 CVE-2006-4505 Vendor: NX5 Vendor's Web Site: http://nx5ware.nx5.org/ Software: NX5Linkx Sowtware's Web Site: http://nx5ware.nx5.org/links.php Versions: 1.0 Critical Level: Dangerous Type: Multiple Vulnerabilities Class: Remote Status: Unpatched. No reply from developer(s) PoC/Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) -----------------Description--------------- 1. Arbitrary file disclosure Vulnerability Vulnerable script: link.php Parameter logo is not properly sanitized. It used as full local path to logo filename. Script do the copy of this file in logos directory. This directory is available from the web. This can be used to read arbitrary files. 2. Multiple SQL Injections. Vulnerable scripts: The name of those scripts are defined by webmaster. First - (a) displays links list. Second - (b) "out" script which do the redirections when someone clicks on link Parameters c(script "a"), l(script "b") are not properly sanitized before being used in SQL query. This can be used to make any SQL query or make a HTTP response-splitting attack by injecting arbitrary SQL code. Condition: magic_quotes_gpc = off 3. HTTP Response Splitting. Vulnerable Script: link.php Parameter url is not properly sanitized. This can be used to make HTTP Response Splitting attack. --------------PoC/Exploit---------------------- Available at: http://evuln.com/vulns/138/exploit.html 1. Arbitrary file disclosure Example. URL: http://host/link.php Logo URL: /etc/passwd This file can be downloaded using the link: http://host/logos/N. N - ID of the link 2. SQL Injection Examples. http://host/links.php? c=999'% 20union%20select% 201,222/* http://host/out.php? l=999' union select 1,1,'http://google.com', 1,1,1,1/* 3. HTTP Response Splitting. URL: http://host/link.php URL(in form): http://host.com% 0D%0A%0D%0AHTTP/1.0 200 OK%0D%0A%0D% 0A....... --------------Solution--------------------- No Patch available. --------------Credit----------------------- Discovered by: Aliaksandr Hartsuyeu (eVuln.com) Regards, Aliaksandr Hartsuyeu http://evuln.com - Penetration Testing Services .