With about 100.000 installs, VHCS (Virtual Hosting Control System) is
perhaps the best known professional control panel software being open source
and an excelent choice for shared, reseller, virtual and dedicated server
VHCS team recently released a security patch (dated on Feb, 5th). As I was
evaluating that software (mainly from a functional perspective) and I care
about security I decided to download it and have a look at it. Soon I realized
that the patch was flawed: it was indeed adding a big XSS security hole (by
removing specific XSS protection which existed in latest VHCS version -
126.96.36.199). I reported the problem to Alexander Kotov (VHCS project leader,
hereinafter will be referred as "the vendor"), with cc to Full-Disclosure
mailing-list. This is bug #1 and we will mark the related security patch
as "v.1". As a bonus, I also reported another bug: #2.
The vendor issued a new security patch (a.k.a. "v.2"), correcting the XSS
problems, and refused to explain what the real bug supposedly being fixed was,
either publicly neither privately. Moreover, they didn't inform its own users
of the problems with security patch v.1 and indeed they simply replaced the
old patch (v.1) with the new one (v.2), without changing filename nor issuing
any kind of warning. I'm differentiating them here by adding the "v.#" suffix.
I quickly researched the new patch. It only introduced one line of code into
check_login() function. I found a critical bug being partially fixed here.
Let's name it as bug #3. I also noticed the same function continued being
buggy (before or after applying patch v.2) and while testing former bugs I
discovered a new bug (#4). Finally vendor issued a third patch (dated on Feb,
9th), let's call it v.3. It corrected bug #3 but not #4 (which is 0day at the
time of writing this advisory).
One of the vulnerabilities is rated as "critical", while two other ones
are marked as having severity "high".
RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems
On 29.May.2004, I disclosed an important XSS vulnerability
in latest versions of a well-known webmail: SquirrelMail. Upon publication I
received the notice that other important webmails were also vulnerable to the
same bug. Indeed the same exploits released for SquirrelMail worked without
any changes in these systems. I decided to contact several other webmail
vendors and ask directly to check their software and confirm or deny the
The purpose of this brief advisory is to provide you with
the collected info in an objective and summarized way.
SquirrelMail is a well-known and widely deployed webmail system. As defined
in SM's official site: it "is a standards-based webmail package written in
PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols,
compatibility across browsers. It has very few requirements and is very
easy to configure and install. SquirrelMail has all the functionality you
would want from an email client, including strong MIME support, address books
and folder manipulation".
A vulnerability has been discovered in SM. Due to unsanitized user input,
a specially crafted e-mail being read by the victim using SM will make injection
of arbitrary tags possible. When correctly exploited, it will permit the
victim's browser. Compromise of webmail account, cookie theft or further
exploitation of any local existing vulnerability in browser (specially easy in
the case of MS-IE, which is still plenty of pending [unpatched] sec-vulns) are
only some examples of the possibilities.
Contrary to popular belief, not all XSS bugs need social engineering to be
performed in order to trigger a successful exploitation. The bug being disclosed
in this advisory proves this fact. A simple reading of an specially
crafted e-mail sent by the attacker could derive in a compromise of security.
I rated this vulnerability as "medium/high" (instead of "low", as other XSS
bugs) because of this reason.
As a side effect of my research I discovered that older known SM flaws were
still present in latest Debian stable (Woody) package. I will also discuss
them here (there is no need to issue another advisory only for that ;-)).
Mundofree.com es un conocido portal web orientado a servicios relacionados
con Internet. Entre otras cosas ofrece cuentas de correo, agenda web y
La aplicación web incluye diversos CGIs programados en Perl, algunos de los
cuales no validan la entrada de usuario de forma adecuada o no están
protegidos por ningún tipo de autentificación cuando deberían estarlo. Como
resultado, es posible visualizar cualquier fichero del servidor de forma
trivial, mostrar las sesiones activas e incluso ejecutar código arbitrario
(bajo el contexto del usuario 'nsuser', i.e., el usuario de iPlanet).