Multiple Vulnerabilities in NX5Linkx

Summary

Vulnerability
Multiple Vulnerabilities in NX5Linkx
Discovered
2006.08.26
Last Update
2006.09.05 Exploitation code published
ID
EV0138
CVE
CVE-2006-4503 CVE-2006-4504 CVE-2006-4505
Risk Level
high
Type
Multiple Vulnerabilities
Status
Unpatched. No reply from developer(s)
Vendor
NX5 (http://nx5ware.nx5.org/)
Vulnerable Software
NX5Linkx (http://nx5ware.nx5.org/links.php)
Version
1.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in NX5Linkx (http://nx5ware.nx5.org/links.php) script.

1. Arbitrary file disclosure Vulnerability

Vulnerable script: link.php

Parameter logo is not properly sanitized. It used as full local path to logo filename. Script do the copy of this file in logos directory. This directory is available from the web.

This can be used to read arbitrary files.

2. Multiple SQL Injections.

Vulnerable scripts: The name of those scripts are defined by webmaster. First - (a) displays links list. Second - (b) "out" script which do the redirections when someone clicks on link

Parameters c(script "a"), l(script "b") are not properly sanitized before being used in SQL query. This can be used to make any SQL query or make a HTTP response-splitting attack by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

3. HTTP Response Splitting.

Vulnerable Script: link.php

Parameter url is not properly sanitized. This can be used to make HTTP Response Splitting attack.

PoC/Exploit

1. Arbitrary file disclosure Example.

URL: http://host/link.php

Logo URL: /etc/passwd

This file can be downloaded using the link:

http://host/logos/N.

N - ID of the link

2. SQL Injection Examples.

http://host/links.php?c=999'%20union%20select%201,222/*

http://host/out.php?l=999' union select 1,1,'http://google.com',1,1,1,1/*

3. HTTP Response Splitting.

URL: http://host/link.php

URL(in form): http://host.com%0D%0A%0D%0AHTTP/1.0 200 OK%0D%0A%0D%0A.......

Solution.

Solution for "Multiple Vulnerabilities in NX5Linkx" is not available. Check NX5 website for updates.