Multiple vulnerabilities have been discovered in Seo Panel, which can be exploited by malicious users to conduct script insertion attacks, SQL injection attacks, and disclose sensitive information and by malicious people to conduct cross-site scripting attacks, cross-site request forgery attacks, and bypass certain security restrictions.

1) Input passed via the "capcheck" and "dir_name" parameters to directories.php (when "sec" is set to "directorymgr") and via the "userName", "password", "confirmPassword", "firstName", "lastName", and "email" parameters to users.php (when "sec" is set to "create") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change an administrator's username and password when a logged-in administrator visits a specially crafted web site.

3) The "checkLoggedIn()" and "checkAdminLoggedIn()" functions in includes/sp-common.php do not properly terminate execution, which can be exploited to perform e.g. administrative actions via direct HTTP requests without being authenticated.

4) Input passed via various parameters to multiple scripts e.g. the "website_id" parameter to backlinks.php, cron.php, directories.php, generate-reports.php, graphical-reports.php, keywords.php, rank.php, saturationchecker.php, and sitemap.php, the "dir_id" and "url" parameters to directories.php, the "id" parameter to directories.php, keywords.php, seo-plugins-manager.php, and website.php, the "keyword_id" parameter to generate-reports.php and reports.php, the "seId" parameter to graphical-reports.php and reports.php, the "keywordId" parameter to graphical-reports.php and keywords.php, the "fromTime" and "toTime" parameters to graphical-reports.php, the "name", "country_code", and "lang_code" parameters to keywords.php, the "se_id" and "keyId" parameters to reports.php, the "seoplugin_id" and "pid" parameters to seo-plugins-manager.php, the "seotool_id" parameter to seo-tools-manager.php, the "userId" parameter to users.php, and the "websiteId" parameter to website.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed via various parameters to multiple scripts e.g. the "pid" parameter to seo-plugins-manager.php, the "firstName", "lastName", and "id" parameters to users.php, and the "name" parameter to website.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

6) Input passed via various parameters to multiple scripts e.g. the "keywordId" parameter to keywords.php (when "sec" is set to "reports"), the "website_urls" parameter to saturationchecker.php and backlinks.php, the "pageno" parameter to users.php and websites.php, the "userName" parameter to login.php and register.php, and the "firstName", "lastName", and "email" parameters to register.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

7) Input passed via the "firstName" and "lastName" parameters to users.php (when "sec" is set to "updatemyprofile") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

8) Input passed via the "dir_name", and "status" parameters to directories.php and the "time" parameter to reports.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

9) Input passed via various parameters to multiple scripts e.g. the "name" and "url" parameters to website.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

10) Input passed via the "file" parameter to download.php is not properly verified before being used to read files. This can be exploited to disclose the content of arbitrary files via directory traversal attacks.

The vulnerabilities #1 through #10 are confirmed in version 2.0.2. Other versions may also be affected.

11) Input passed to the "code" parameter in register.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

12) Input passed to the "proxy", "proxy_username", and "proxy_password" parameters in proxy.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities #11 and #12 are confirmed in version 2.3.1. Other versions may also be affected.

13) Input passed via various parameters to multiple scripts e.g. the "stscheck" parameters to directories.php, the "searchengines", "website_id", "country_code", and "lang_code" parameters to keywords.php, and the "userid" and "user_id" parameters to websites.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

NOTE: Successful exploitation of vulnerabilities #4, #5, #8, #9, #10, and #13 requires authentication but can be exploited in combination with vulnerability #3.

Solution
Update to version 2.2.0, which fixes vulnerabilities #3, #4, #5, and #10. Upgrade to version 3.1.0, which fixes vulnerabilities #9 and #13. Upgrade to version 3.2.1, which fixes vulnerabilities #1, #6-8, and #11-12.

Provided and/or discovered by
1, 2) Russ McRee, reported via Secunia.
3 - 9, 13) Secunia Research
10) Independently discovered by Secunia Research and MaXe (@InterN0T)
11, 12) Ariko-Security.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2010-96/
http://secunia.com/secunia_research/2010-97/
http://secunia.com/secunia_research/2010-131/
http://secunia.com/secunia_research/2010-132/
http://secunia.com/secunia_research/2010-133/

Seo Panel:
http://forum.seopanel.in/viewtopic.php?f=7&t=105
http://forum.seopanel.in/viewtopic.php?f=7&t=3587
http://forum.seopanel.in/viewtopic.php?f=7&t=3866

Russ McRee:
http://holisticinfosec.org/content/view/152/45/

Ariko-Security:
http://advisories.ariko-security.com/2011/July/audyt_bezpieczenstwa_19.html

Deep Links
Links available to Secunia VIM customers