Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] HELM Management and Control System SQL Injection and XSS Vulnerabil

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] HELM Management and Control System SQL Injection and XSS Vulnerabilities
Date: 3 Nov 2004 17:10:28 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  HELM Management and Control System SQL Injection and XSS Vulnerabilities
------------------------------------------------------------------------


SUMMARY

" <http://helm.webhostautomation.com> Helm is a multi-server management 
and control system for Windows 2000 and 2003 based web hosts. The system 
is designed for any size web hosting companies, datacenters and ISPs, 
which require a solid platform that automates all of the day-to-day tasks 
that would otherwise require highly skilled man power, and large work 
forces."

SQL injection and cross site scripting attacks are plausible in HELM due 
to lack of input validation in various fields of the "compose message" 
form.

DETAILS

Vulnerable Systems:
 * HELM version 3.1.19 and prior

Immune Systems:
 * HELM version 3.1.20

The HELM Messaging module is used by resellers to keep customers up to 
date with the latest information. System information messages can also be 
sent to the messaging service to inform resellers and users of any 
problems. Due to the lack of proper input validation in this module, it's 
possible both to inject SQL commands and malicious script to the system to 
gain "ADMIN" level access to the system.

SQL Injection
There is no input validation for the "messageToUserAccNum" parameter of 
the "compose message" form, facilitating execution of crafted SQL queries 
by passing arbitrary SQL code. By using a Man in The Middle HTTP tool, 
it's possible to inject SQL query in "messageToUserAccNum" value, in the 
form of:
        [username]',[messageid],[isread]);  [arbitrary sql query];--

For example, a user with reseller level access can send the following 
value that will add an account 'root' with ADMIN privilege and blank 
password to the account table in HELM database:
xxxx',10,0);  insert into 
account(accountnumber,accounttype,accountpassword) values('root',0,'');--

Cross Site Scripting
The malicious script code can be placed within the 'Subject' field of the 
'Compose Message' form. Since the code is unfiltered, viewing of the 
message by another user on the system will trigger the code.

Vendor Status:
The vendor has fixed the security issues and a newer version is available 
for download. Users are highly encouraged to upgrade to the latest 
version.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bugtraq@hat-squad.com> 
Hat-Squad Security Team.
The original article can be found at:  
<http://www.hat-squad.com/en/000077.html> 
http://www.hat-squad.com/en/000077.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] HELM Management and Control System SQL Injection and XSS Vulnerabilities, SecuriTeam <=
Previous by Date:  [REVS] Second Order Code Injection Attacks, SecuriTeam
Next by Date:  [UNIX] qwik-smtpd Format String Vulnerability, SecuriTeam
Previous by Thread:  [REVS] Second Order Code Injection Attacks, SecuriTeam
Next by Thread:  [UNIX] qwik-smtpd Format String Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]