Leadhound multiple vuln.
###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:http://www.leadhoundnetwork.com/
affected versions:
Leadhound "Full Remote version"
&
Leadhound LITE 2.1
orginal advisory:
http://pridels.blogspot.com/2006/04/leadhound-multiple-vuln.html
###############################################
Product info:
Leadhound's corporate offices. To help ensure maximum performance, a
dedicated high performance 128-bit SSL secured server is included as part of
the licensing agreement.
your approval, or rejection based on criteria that you set.
scalable, and serve 10,000's of affiliates. Our technology is proven,
reliable, and an affordable solution.
and countless hours of programming. Our technology is blended seamlessly
into your current design.
###############################################
Vuln. Description:
Leadhound contains a flaws that allows a remote sql injection
attacks.Inputpassed to the "banner" "offset" "sub" "camp_id" "login"
"logged" "agent_id"
parameters in
"agent_links.pl","agent_transactions_csv.pl","agent_transactions.pl","agent_subaffiliates.pl","agent_commission_statement.pl","agent_summary.pl","agent_camp_det.pl"
isn't properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
notice: To see Wich paremeter in wich file,pleas look at examples:
/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner=[SQL]
/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner='0'&move=1&submit
ted=1&offset=[SQL]
/cgi-bin/agent_transactions_csv.pl?login=
r0t&logged=&camp_id=0&sub=[SQL]
/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=[SQL]
/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]
/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=[SQL]
/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=&camp_id=[SQL]
/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]
/cgi-bin/agent_commission_statement.pl?log
in=[SQL]
/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=[SQL]
/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=&agent_id=[SQL]
/cgi-bin/agent_summary.pl?login=r0t&logged
=&submitted=1&offset=[SQL]
/cgi-bin/agent_camp_det.pl?login=r0t&logged
=[SQL]
/cgi-bin/agent_camp_det.pl?login=r0t&logged
=&camp_id=[SQL]
xssxssxssxssxssxssxssxssxssxssxssxssxssxssxss
Leadhound contains a flaw that allows a remote cross site scripting attack.
This flaw exists because input passed to
"login","logged","camp_id","banner","offset","date","dates","page",
paremeters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship between the
browser and the server, leading to a loss of integrity.
examples:
/cgi-bin/agent_affil.pl?login=[XSS]
/cgi-bin/agent_help.pl?login=[XSS]
/cgi-bin/agent_faq.pl?login=[XSS]
/cgi-bin/agent_faq.pl?login=demo&log
ged=[XSS]
/cgi-bin/agent_help_insert.pl?login=[XSS]
/cgi-bin/agent_help_insert.pl?login=r0t&logg
ed=[XSS]
/cgi-bin/sign_out.pl?login=[XSS]
/cgi-bin/members.pl?login=[XSS]
/cgi-bin/members.pl?login=r0t&logged=[XSS]
/cgi-bin/modify_agent_1.pl?login=[XSS]
/cgi-bin/modify_agent_1.pl?login=r0t&logg
ed=[XSS]
/cgi-bin/modify_agent_2.pl?login=[XSS]
/cgi-bin/modify_agent_2.pl?login=r0t&logg
ed=[XSS]
/cgi-bin/modify_agent.pl?login=[XSS]
/cgi-bin/modify_agent.pl?login=r0t&logg
ed=[XSS]
/cgi-bin/agent_links.pl?login=[XSS]
/cgi-bin/agent_links.pl?login=r0t&logg
ed=[XSS]
/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=[XSS]
/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner=[XSS]
/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner='0'&move=1&s
ubmitted=1&offset=[XSS]
/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]
/cgi-bin/agent_logoff.pl?login=[XSS]
/cgi-bin/agent_rev_det.pl?login=[XSS]
/cgi-bin/agent_rev_det.pl?login=r0t&da
tes=[XSS]
/cgi-bin/agent_subaffiliates.pl?log
in=[XSS]
/cgi-bin/agent_subaffiliates.pl?login
=r0t&logged=[XSS]
/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=[XSS]
/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=&
camp_id=[XSS]
/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=
&camp_id=0&date=[XSS]
/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=[XSS]
/cgi-bin/agent_commission_statement.pl
?login=r0t&logged=&agent_id=[XSS]
/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]
/cgi-bin/agent_stats_pending_leads.pl?
login=r0t&logged=[XSS]
/cgi-bin/agent_transactions.pl?login=[XSS]
/cgi-bin/agent_transactions.pl?login=r0t
&logged=[XSS]
/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=[XSS]
/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=&date=[XSS]
/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=[XSS]
/cgi-bin/agent_payment_history.pl?login=[XSS]
/cgi-bin/agent_summary.pl?login=[XSS]
/cgi-bin/agent_summary.pl?login=r0t&l
ogged=[XSS]
/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=[XSS]
/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=0&date=[XSS]
/cgi-bin/agent_camp_all.pl?login=[XSS]
/cgi-bin/agent_camp_all.pl?login=r0t&l
ogged=[XSS]
/cgi-bin/agent_camp_new.pl?login=[XSS]
/cgi-bin/agent_camp_new.pl?login=r0t&
logged=[XSS]
/cgi-bin/agent_camp_notsub.pl?log
in=[XSS]
/cgi-bin/agent_camp_notsub.pl?login=
r0t&logged=[XSS]
/cgi-bin/agent_campaign.pl?login=[XSS]
/cgi-bin/agent_campaign.pl?login=r0t&
logged=[XSS]
/cgi-bin/agent_camp_expired.pl?login
=r0t&logged=[XSS]
/cgi-bin/agent_camp_expired.pl?login
=[XSS]
/cgi-bin/agent_stats_det.pl?login
=r0t&dates=[XSS]
/cgi-bin/agent_stats_det.pl?login=[XSS]
/cgi-bin/agent_stats.pl?login=[XSS]
/cgi-bin/agent_stats.pl?login=r0t&
logged=[XSS]
/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=2&page=[XSS]
/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=[XSS]
/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=[XSS]
/cgi-bin/agent_camp_det.pl?login=[XSS]
/cgi-bin/agent_camp_sub.pl?login=r0t&l
ogged=[XSS]
/cgi-bin/agent_camp_sub.pl?login=[XSS]
/cgi-bin/agent_affil_list.pl?login=r0t&
logged=[XSS]
/cgi-bin/agent_affil_list.pl?login=[XSS]
/cgi-bin/agent_affil_code.pl?login=[XSS]
/cgi-bin/agent_affil_code.pl?login=r0t&
logged=[XSS]
and
In lost password field enter XSS.
/cgi-bin/lost_pwd.pl [XSS]
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/