Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12275
HistoryApr 18, 2006 - 12:00 a.m.

Leadhound multiple vuln.

2006-04-1800:00:00
vulners.com
20

Leadhound multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:http://www.leadhoundnetwork.com/
affected versions:
Leadhound "Full Remote version"
&
Leadhound LITE 2.1
orginal advisory:
http://pridels.blogspot.com/2006/04/leadhound-multiple-vuln.html
###############################################

Product info:

Secure private network - Leadhound technology is hosted in-house at

Leadhound's corporate offices. To help ensure maximum performance, a
dedicated high performance 128-bit SSL secured server is included as part of
the licensing agreement.

Full control over your affiliates - Each application can be reviewed for

your approval, or rejection based on criteria that you set.

Reliability - Leadhound was designed from the ground up to be fully

scalable, and serve 10,000's of affiliates. Our technology is proven,
reliable, and an affordable solution.

Time to market - Save tens of thousands of Dollars in development cost,

and countless hours of programming. Our technology is blended seamlessly
into your current design.

###############################################

Vuln. Description:

  1. Multiple SQL injection vuln.

Leadhound contains a flaws that allows a remote sql injection
attacks.Inputpassed to the "banner" "offset" "sub" "camp_id" "login"
"logged" "agent_id"
parameters in
"agent_links.pl","agent_transactions_csv.pl","agent_transactions.pl","agent_subaffiliates.pl","agent_commission_statement.pl","agent_summary.pl","agent_camp_det.pl"
isn't properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

notice: To see Wich paremeter in wich file,pleas look at examples:

/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner=[SQL]

/cgi-bin/agent_links.pl?login=r0t&logged=
&camp_id=0&sub=&banner='0'&move=1&submit
ted=1&offset=[SQL]

/cgi-bin/agent_transactions_csv.pl?login=
r0t&logged=&camp_id=0&sub=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_transactions.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=&camp_id=[SQL]

/cgi-bin/agent_subaffiliates.pl?login=r0t&
logged=&submitted=1&offset=0&sub=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=[SQL]

/cgi-bin/agent_commission_statement.pl?log
in=r0t&logged=&agent_id=[SQL]

/cgi-bin/agent_summary.pl?login=r0t&logged
=&submitted=1&offset=[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged
=[SQL]

/cgi-bin/agent_camp_det.pl?login=r0t&logged
=&camp_id=[SQL]

xssxssxssxssxssxssxssxssxssxssxssxssxssxssxss

  1. Multiple XSS vuln.

Leadhound contains a flaw that allows a remote cross site scripting attack.
This flaw exists because input passed to
"login","logged","camp_id","banner","offset","date","dates","page",
paremeters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship between the
browser and the server, leading to a loss of integrity.

examples:

/cgi-bin/agent_affil.pl?login=[XSS]

/cgi-bin/agent_help.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=[XSS]

/cgi-bin/agent_faq.pl?login=demo&log
ged=[XSS]

/cgi-bin/agent_help_insert.pl?login=[XSS]

/cgi-bin/agent_help_insert.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/sign_out.pl?login=[XSS]

/cgi-bin/members.pl?login=[XSS]

/cgi-bin/members.pl?login=r0t&logged=[XSS]

/cgi-bin/modify_agent_1.pl?login=[XSS]

/cgi-bin/modify_agent_1.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/modify_agent_2.pl?login=[XSS]

/cgi-bin/modify_agent_2.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/modify_agent.pl?login=[XSS]

/cgi-bin/modify_agent.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/agent_links.pl?login=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner=[XSS]

/cgi-bin/agent_links.pl?login=r0t&logg
ed=&camp_id=0&sub=&banner='0'&move=1&s
ubmitted=1&offset=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]

/cgi-bin/agent_logoff.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=[XSS]

/cgi-bin/agent_rev_det.pl?login=r0t&da
tes=[XSS]

/cgi-bin/agent_subaffiliates.pl?log
in=[XSS]

/cgi-bin/agent_subaffiliates.pl?login
=r0t&logged=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=&
camp_id=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=
&camp_id=0&date=[XSS]

/cgi-bin/agent_subaffiliates.pl?login=
r0t&logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_commission_statement.pl
?login=r0t&logged=&agent_id=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=[XSS]

/cgi-bin/agent_stats_pending_leads.pl?
login=r0t&logged=[XSS]

/cgi-bin/agent_transactions.pl?login=[XSS]
/cgi-bin/agent_transactions.pl?login=r0t
&logged=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=&date=[XSS]

/cgi-bin/agent_transactions.pl?login=r0t
&logged=&submitted=1&offset=0&sub=[XSS]

/cgi-bin/agent_payment_history.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=[XSS]

/cgi-bin/agent_summary.pl?login=r0t&l
ogged=&submitted=1&offset=0&date=[XSS]

/cgi-bin/agent_camp_all.pl?login=[XSS]

/cgi-bin/agent_camp_all.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_new.pl?login=[XSS]

/cgi-bin/agent_camp_new.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_notsub.pl?log
in=[XSS]

/cgi-bin/agent_camp_notsub.pl?login=
r0t&logged=[XSS]

/cgi-bin/agent_campaign.pl?login=[XSS]

/cgi-bin/agent_campaign.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login
=r0t&logged=[XSS]

/cgi-bin/agent_camp_expired.pl?login
=[XSS]

/cgi-bin/agent_stats_det.pl?login
=r0t&dates=[XSS]

/cgi-bin/agent_stats_det.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=[XSS]

/cgi-bin/agent_stats.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=2&page=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=&camp_id=[XSS]

/cgi-bin/agent_camp_det.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_det.pl?login=[XSS]

/cgi-bin/agent_camp_sub.pl?login=r0t&l
ogged=[XSS]

/cgi-bin/agent_camp_sub.pl?login=[XSS]

/cgi-bin/agent_affil_list.pl?login=r0t&
logged=[XSS]

/cgi-bin/agent_affil_list.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=[XSS]

/cgi-bin/agent_affil_code.pl?login=r0t&
logged=[XSS]

and

In lost password field enter XSS.

/cgi-bin/lost_pwd.pl [XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/