[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [Hat-Squad] SQL injection and XSS Vulnerabilities in HELM
From: Hat-Squad Security Team <bugtraq () hat-squad ! com>
Date: 2004-11-02 23:36:20
Message-ID: 20041103024332.2139.qmail () www ! securityfocus ! com
[Download RAW message or body]
Hat-Squad Advisory: SQL injection and XSS Vulnerabilities in HELM
November 2, 2004
Product: HELM Web Hosting Control Panel
Vendor URL: http://helm.webhostautomation.com
Version: HELM 3.1.19 and lower
Vulnerability: SQL injection and XSS
Release Date: November 2, 2004
Vendor Status:
Informed on 28 October 2004
Response: 1 November 2004
Fixed on 1 November 2004
Description:
Helm is a multi-server management and control system for Windows 2000 and 2003 based \
web hosts. The system is designed for any size web hosting companies, datacenters and \
ISPs, which require a solid platform that automates all of the day-to-day tasks that \
would otherwise require highly skilled man power, and large work forces.
Details:
HELM Messaging module is used by resellers to keep customers up to date with the \
latest information. System information messages can also be sent to the messaging \
service to inform resellers and users of any problems. Due to the lack of proper \
input validation in this module, it's possible both to inject SQL commands and \
malicious script to the system to gain "ADMIN" level access to the system.
SQL Injection:
There is no input validation on "messageToUserAccNum" parameter of "compose message" \
form. Therefore it's possible to execute SQL query by passing arbitrary SQL code.
By using a Man in The Middle HTTP tool, it's possible to inject sql query in \
"messageToUserAccNum" value, in the form of:
[username]',[messageid],[isread]); [arbitrary sql query];--
Example:
A User with reseller level access can send the following value that will add an \
account "root" with ADMIN privilege and blank password to the account table in HELM \
database:
xxxx',10,0); insert into account(accountnumber,accounttype,accountpassword) \
values('root',0,'');--
Cross Site Scripting:
XSS attack code could be sent in "Subject" field of "compose message" form. Viewing \
the message by victim user (usually ADMIN) will run the attack code.
Solution:
Update Your HELM software version to 3.1.20 .
Credits:
This vulnerability has been discovered by Behrang Fouladi (behrang@hat-squad.com)
The Original advisory could be found at:
http://www.hat-squad.com/en/000077.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic