[UNIX] Multiple Vulnerabilities in phpAdsNew

• Previous message: SecuriTeam: "[UNIX] CitrusDB Directory Traversal and Arbitrary File Upload"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Mar 2005 14:57:25 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Multiple Vulnerabilities in phpAdsNew
------------------------------------------------------------------------

SUMMARY

" <http://phpadsnew.com/two/> phpAdsNew is an open-source ad server, with
an integrated banner management interface and tracking system for
gathering statistics. With phpAdsNew you can easily rotate paid banners
and your own in-house advertisements. You can even integrate banners from
third party advertising companies."

Two types of vulnerabilities have been found in phpAdsNew, a path
disclosure and a cross site scripting.

DETAILS

Vulnerable Systems:
 * phpAdsNew version 2.0.4-pr1

Path Disclosure:
A path disclosure vulnerability was discovered in phpAdsNew ad server.
Path disclosure vulnerabilities allow malicious attacker gather
information about the server.

Examples:
Any of the following URLs will trigger the vulnerability:
http://[HOST]/[DIR]/libraries/lib-xmlrpcs.inc.php
http://[HOST]/[DIR]/maintenance/maintenance-activation.php
http://[HOST]/[DIR]/maintenance/maintenance-cleantables.php
http://[HOST]/[DIR]/maintenance/maintenance-autotargeting.php
http://[HOST]/[DIR]/maintenance/maintenance-reports.php
http://[HOST]/[DIR]/misc/backwards%20compatibility/phpads.php
http://[HOST]/[DIR]/misc/backwards%20compatibility/remotehtmlview.php
http://[HOST]/[DIR]/misc/backwards%20compatibility/click.php
http://[HOST]/[DIR]/adcontent.php

Once the vulnerability has occurred an error message such as this one will
return:
Warning: array_merge() [function.array-merge]: Argument #2 is not an array
in
/www/phpAdsNew-2.0.3/adcontent.php on line 72

Cross Site Scripting:
If register_globals variable has been set to on, the following URL will
cause the remote server to return the HTML and/or JavaScript it has been
provided:
http://[HOST]/[DIR]/adframe.php?refresh=example.com'>[XSS code]

Unofficial Patch:
Upgrade you version or download a fix provided by securityreason.com:
<here> http://securityreason.com/patch/phpadsnew.0.diff

ADDITIONAL INFORMATION

The information has been provided by <mailto:max@jestsuper.pl>
Maksymilian Arciemowicz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] CitrusDB Directory Traversal and Arbitrary File Upload"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]