Sobre el autor :: Noticias :: Papers y publicaciones :: Exploits & Tools :: Proyectos :: Advisories :: Contribuciones


RS-2006-1: Multiple flaws in VHCS 2.x

   With about 100.000 installs, VHCS (Virtual Hosting Control System) is perhaps the best known professional control panel software being open source and an excelent choice for shared, reseller, virtual and dedicated server management.

   VHCS team recently released a security patch (dated on Feb, 5th). As I was evaluating that software (mainly from a functional perspective) and I care about security I decided to download it and have a look at it. Soon I realized that the patch was flawed: it was indeed adding a big XSS security hole (by removing specific XSS protection which existed in latest VHCS version - I reported the problem to Alexander Kotov (VHCS project leader, hereinafter will be referred as "the vendor"), with cc to Full-Disclosure mailing-list. This is bug #1 and we will mark the related security patch as "v.1". As a bonus, I also reported another bug: #2.

   The vendor issued a new security patch (a.k.a. "v.2"), correcting the XSS problems, and refused to explain what the real bug supposedly being fixed was, either publicly neither privately. Moreover, they didn't inform its own users of the problems with security patch v.1 and indeed they simply replaced the old patch (v.1) with the new one (v.2), without changing filename nor issuing any kind of warning. I'm differentiating them here by adding the "v.#" suffix.

   I quickly researched the new patch. It only introduced one line of code into check_login() function. I found a critical bug being partially fixed here. Let's name it as bug #3. I also noticed the same function continued being buggy (before or after applying patch v.2) and while testing former bugs I discovered a new bug (#4). Finally vendor issued a third patch (dated on Feb, 9th), let's call it v.3. It corrected bug #3 but not #4 (which is 0day at the time of writing this advisory).

   One of the vulnerabilities is rated as "critical", while two other ones are marked as having severity "high".

Descargar   RS-Labs-Advisory-2006-1.txt  (13.3 KB)

RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems

   On 29.May.2004, I disclosed an important XSS vulnerability in latest versions of a well-known webmail: SquirrelMail. Upon publication I received the notice that other important webmails were also vulnerable to the same bug. Indeed the same exploits released for SquirrelMail worked without any changes in these systems. I decided to contact several other webmail vendors and ask directly to check their software and confirm or deny the vulnerability.

   The purpose of this brief advisory is to provide you with the collected info in an objective and summarized way.

Descargar   RS-Labs-Advisory-2004-2.txt  (6.63 KB)

RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability

   SquirrelMail is a well-known and widely deployed webmail system. As defined in SM's official site: it "is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books and folder manipulation".

   A vulnerability has been discovered in SM. Due to unsanitized user input, a specially crafted e-mail being read by the victim using SM will make injection of arbitrary tags possible. When correctly exploited, it will permit the execution of scripts (JavaScript, VBScript, etc) running in the context of victim's browser. Compromise of webmail account, cookie theft or further exploitation of any local existing vulnerability in browser (specially easy in the case of MS-IE, which is still plenty of pending [unpatched] sec-vulns) are only some examples of the possibilities.

   Contrary to popular belief, not all XSS bugs need social engineering to be performed in order to trigger a successful exploitation. The bug being disclosed in this advisory proves this fact. A simple reading of an specially crafted e-mail sent by the attacker could derive in a compromise of security. I rated this vulnerability as "medium/high" (instead of "low", as other XSS bugs) because of this reason.

   As a side effect of my research I discovered that older known SM flaws were still present in latest Debian stable (Woody) package. I will also discuss them here (there is no need to issue another advisory only for that ;-)).

Descargar   RS-Labs-Advisory-2004-1.txt  (32.1 KB)

RS-2003-1: CGI vulnerable en ""
10.May.2003 es un conocido portal web orientado a servicios relacionados con Internet. Entre otras cosas ofrece cuentas de correo, agenda web y hosting gratuito.

   La aplicación web incluye diversos CGIs programados en Perl, algunos de los cuales no validan la entrada de usuario de forma adecuada o no están protegidos por ningún tipo de autentificación cuando deberían estarlo. Como resultado, es posible visualizar cualquier fichero del servidor de forma trivial, mostrar las sesiones activas e incluso ejecutar código arbitrario (bajo el contexto del usuario 'nsuser', i.e., el usuario de iPlanet).

Descargar   RS-Labs-Advisory-2003-1.txt  (8.62 KB)