lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <0e0e7718351b493176260c7412b66a15@gmail.com>
Date: Tue, 28 Nov 2006 16:55:34 -0500
From: Vincent A.Menard <thabob@...il.com>
To: bugtraq@...urityfocus.com
Cc: dev@...ernc.org, submissions@...ketstormsecurity.org,
	users@...ernc.org
Subject: Multiple Vulnerabilities in AlternC version 0.9.5

ground418 security advisory

Date: 28-11-2006
Subject: Multiple Vulnerabilities in AlternC version 0.9.5 (and below).
Author: Vincent Audet Ménard <thabob@...il.com>
Original File:
	http://www.ground418.org/exploits/read.php?file=06-alternC-095.txt
Related Files:
	http://dev.alternc.org/trac/alternc/changeset/1737
	http://dev.alternc.org/trac/alternc/changeset/1738
	http://dev.alternc.org/trac/alternc/changeset/1739

Vendor: http://www.alternc.org/

Vulnerabilities:
- Possible XSS
- Remote code execution
- Unauthorized file and folder creation
- Full file system reading access

Risk: high


-[ About alternC ]

AlternC is a open source hosting services software suite. AlternC 
includes an automatic installation and configuration system, and a 
web-based control panel to manage users' accounts and web services 
(e.g. domains, emails, ftp accounts, statistics...).

-[ Remote code execution ]

It is possible to execute javascript by creating a directory with the 
file manager of AlternC.
Simply create a folder called 
"<script>alert(document.cookie);</script>" to have a demonstration.
This could also lead to a path disclosure if php is set to show 
warnings.

Once the users used the phpmyadmin in alternC, the SQL password can be 
seen (in plain text) in the cookie. This could lead to a SQL password 
steal if used with a XSS.

-[ Unauthorized folder and file creation ]

You can create folders and files pretty much anywhere the alternC have 
the right to do so simply by entering a filename like "../../test" in 
the "create name" input.

-[ Full FileSystem reading access ]

When configuring a subdomain, you can indicate that the files will be 
locally managed in a specific folder. You can configure your subdomain 
to have the web root in "../../../../../" so that you
have complete access in reading (with the apache/alternC user 
restriction) to the file system.

-[ Solution ]

Except for the SQL password visible in plain text, all these flaws are 
because of a bad inputs sanitazation. Double dots and slashes should 
not be permitted anywhere. The form's input in ('admin/bro_main.php', 
'admin/dom_subedit.php', 'admin/dom_add.php') were causing the most 
critical flaws.

AlternC developers have been alerted few days ago and they released a 
new version. We highly recommend you to stop using 0.9.5 and consider 
upgrading to the newest version.

Version 0.9.6 is available at 
https://dev.alternc.org/trac/alternc/milestone/0.9.6

Vincent A. Menard

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ