Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple Vulnerabilities in AlternC version 0.9.5

from [Vincent A.Menard] Network Security [Permanent Link]
Subject: Multiple Vulnerabilities in AlternC version 0.9.5
Date: Tue, 28 Nov 2006 16:55:34 -0500 
ground418 security advisory

Date: 28-11-2006
Subject: Multiple Vulnerabilities in AlternC version 0.9.5 (and below).
Author: Vincent Audet Ménard <thabob@gmail.com>
Original File:
        http://www.ground418.org/exploits/read.php?file=06-alternC-095.txt
Related Files:
        http://dev.alternc.org/trac/alternc/changeset/1737
        http://dev.alternc.org/trac/alternc/changeset/1738
        http://dev.alternc.org/trac/alternc/changeset/1739

Vendor: http://www.alternc.org/

Vulnerabilities:
- Possible XSS
- Remote code execution
- Unauthorized file and folder creation
- Full file system reading access

Risk: high


-[ About alternC ]

AlternC is a open source hosting services software suite. AlternC includes an automatic installation and configuration system, and a web-based control panel to manage users' accounts and web services (e.g. domains, emails, ftp accounts, statistics...).

-[ Remote code execution ]

It is possible to execute javascript by creating a directory with the file manager of AlternC.
Simply create a folder called "<script>alert(document.cookie);</script>" to have a demonstration.
This could also lead to a path disclosure if php is set to show warnings.

Once the users used the phpmyadmin in alternC, the SQL password can be seen (in plain text) in the cookie. This could lead to a SQL password steal if used with a XSS.

-[ Unauthorized folder and file creation ]

You can create folders and files pretty much anywhere the alternC have the right to do so simply by entering a filename like "../../test" in the "create name" input.

-[ Full FileSystem reading access ]

When configuring a subdomain, you can indicate that the files will be locally managed in a specific folder. You can configure your subdomain to have the web root in "../../../../../" so that you
have complete access in reading (with the apache/alternC user restriction) to the file system.

-[ Solution ]

Except for the SQL password visible in plain text, all these flaws are because of a bad inputs sanitazation. Double dots and slashes should not be permitted anywhere. The form's input in ('admin/bro_main.php', 'admin/dom_subedit.php', 'admin/dom_add.php') were causing the most critical flaws.

AlternC developers have been alerted few days ago and they released a new version. We highly recommend you to stop using 0.9.5 and consider upgrading to the newest version.

Version 0.9.6 is available at https://dev.alternc.org/trac/alternc/milestone/0.9.6

Vincent A. Menard

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple Vulnerabilities in AlternC version 0.9.5, Vincent A.Menard <=
Previous by Date:  Secunia Research: Borland Products idsql32.dll Buffer Overflow Vulnerability, Secunia Research
Next by Date:  SYM06-023, Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability, Mike Prosser
Previous by Thread:  Secunia Research: Borland Products idsql32.dll Buffer Overflow Vulnerability, Secunia Research
Next by Thread:  SYM06-023, Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability, Mike Prosser
Indexes:  [Date] [Thread] [Top] [All Lists]