Related information

Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)

VCD-db vuln.

Ad Manager Pro SQL vuln.

Jamit Job Board 2.4.x SQL inj.

MySQL Auction XSS vuln.

From:	r0t <krustevs_(at)_googlemail.com>
Date:	14.12.2005
Subject:	Link Up Gold vuln.

Link Up Gold vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
orginal advisory:http://pridels.blogspot.com/2005/12/link-up-gold-vuln.html
vendor:http://www.phpwebscripts.com/linkupgold/
affected version:2.5 and prior


Product Description:

An unique script for running your own linksite/search engine. Hundreds of advanced features: Unlimited number of categories in an unlimited number of levels, aliases@ for categories (cross-linked directories, the same feature that have big search engines like Yahoo or Dmoz), unlimited number of links and articles, fully featured paid links (advertisers can pay by using any payment company, also PayPal IPN supported), rating system, fully customizable pages by using templates (all public pages are editable in any HTML editor), multiple skins (15 styles bundled with the software), blacklist, multiple administrators with different rights, integrated poll, ability to count incoming and outgoing hits, user registration, mailing lists, reviews for links and articles, message board and many more. Links and articles may be sorted by title, popularity, incoming hits, date added etc. Pages are dynamic (php extension), also a plugin to create static html files or use Apache Rewrite is available.


Vuln. Description:

1. SQL
Link Up Gold contains a flaw that allows a remote sql injection attacks.Input passed to the "number" parameter in "poll.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2.XSS
contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to  "link" "direction" "sort" "phrase[]" parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

/poll.php?action=vote&number=[SQL]


/tell_friend.php?link=%22%3E%3Csc
ript%3Ealert('r0t')%3C/script%3E

/search.php?action=search_links_
advanced&phrase%5B0%5D=%22%3E%3C
script%3Ealert('r0t')%3C/script%3E

/articles.php?n=122&page=1&sort=
&direction=%22%3E%3Cscript%3Eale
rt('r0t')%3C/script%3E

/articles.php?n=122&page=1&sort
=%22%3E%3Cscript%3Ealert('r0t')
%3C/script%3E

Solution:
Edit the source code to ensure that input is properly sanitised.