[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [Hat-Squad] SQL injection and XSS Vulnerabilities in HELM
From:       Hat-Squad Security Team <bugtraq () hat-squad ! com>
Date:       2004-11-02 23:36:20
Message-ID: 20041103024332.2139.qmail () www ! securityfocus ! com
[Download RAW message or body]



Hat-Squad Advisory: SQL injection and XSS Vulnerabilities in HELM
November 2, 2004 

Product: HELM Web Hosting Control Panel
Vendor URL: http://helm.webhostautomation.com
Version: HELM 3.1.19 and lower
Vulnerability: SQL injection and XSS 
Release Date: November 2, 2004

Vendor Status: 
Informed on 28 October 2004
Response: 1 November 2004
Fixed on 1 November 2004

Description:

Helm is a multi-server management and control system for Windows 2000 and 2003 based \
web hosts. The system is designed for any size web hosting companies, datacenters and \
ISPs, which require a solid platform that automates all of the day-to-day tasks that \
would otherwise require highly skilled man power, and large work forces.

Details:

HELM Messaging module is used by resellers to keep customers up to date with the \
latest information. System information messages can also be sent to the messaging \
service to inform resellers and users of any problems. Due to the lack of proper \
input validation in this module, it's possible both to inject SQL commands and \
malicious script to the system to gain "ADMIN" level access to the system.

SQL Injection:

There is no input validation on "messageToUserAccNum" parameter of "compose message" \
form. Therefore it's possible to execute SQL query by passing arbitrary SQL code.

By using a Man in The Middle HTTP tool, it's possible to inject sql query in \
"messageToUserAccNum" value, in the form of: 

	[username]',[messageid],[isread]);  [arbitrary sql query];--

Example:

A User with reseller level access can send the following value that will add an \
account "root" with ADMIN privilege and blank password to the account table in HELM \
database:

xxxx',10,0);  insert into account(accountnumber,accounttype,accountpassword) \
values('root',0,'');--


Cross Site Scripting:

XSS attack code could be sent in "Subject" field of "compose message" form. Viewing \
the message by victim user (usually ADMIN) will run the attack code.

Solution:

Update Your HELM software version to 3.1.20 .

Credits:

This vulnerability has been discovered by Behrang Fouladi (behrang@hat-squad.com)

The Original advisory could be found at: 
http://www.hat-squad.com/en/000077.html


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic