Vulnerability Development mailing list archives

PSOFT H-Sphere XSS Vulnerabilities


From: Lorenzo Manuel Hernandez Garcia-Hierro <security () lorenzohgh com>
Date: 9 Jun 2003 17:47:54 -0000



--------------------
Product: PSOFT H-Sphere ( Hosting Control Panel )
Vendor: PSOFT ( Positive Software Corporation )
Versions:
         VULNERABLE
         
         - 2.3.x
         - 2.2.x
         - 2.1.x
         - 2.0.x
        
         NOT VULNERABLE
        
         - ?
---------------------

Description:

H-Sphere is a scalable multiserver webhosting control panel, which 
provides complete hosting automation for Linux, BSD & Win2000 platforms, 
is easy to use, and has extensive user interface, billing solution, and 
integrated trouble tickets system

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered a lot of XSS ( Cross Site Scripting ) vulnerabilities in 
the 
PSOFT's product called H-Sphere , located in the template inclusion 
system.
The failure is in the form that the template system includes a html 
template page,
if the page does not exist the system prints an error like this:

Unknown template : '[PATH TO NON EXISTENT TEMPLATE PAGE]'

with this you can insert html and script code by url command passing like 
this:

http://[TARGET]/[PATH TO PSOFT H-SPHERE 
INSTALLATION]/servlet/psoft.hsphere.CP/[VALID AND LOGGED USER]/[ID]/[PATH 
OF H-SPHERE USER SCRIPTS]/servlet/psoft.hsphere.CP?template_name=[HERE 
COMES YOUR CODE]


The new error page prints this:


Unknown template : '[HERE COMES YOUR CODE]'

And the user web navigator executes all the code and scripts included in 
the new error page.
This can be used for steal user cookies like this:

MACTOKEN=[USER]|0000000xxxxxx|0xxxxx0000xxxx0000xxxx0000xxxx00

ESTRUCTURE OF H-SPHERE COOKIE :

MACTOKEN=[USERNAME] | [ USER PASSWORD ] | [ USER SESSION ID ]

You can modify your cookie of h-sphere according the stealed user cookie 
and use the system with
the user credentials , think in modify user hosting plans... ;-) .

Please , all the time the user must be logged in valid or the attacker 
must use a specially crafted url for 
include commands in the client side trought the template system.I think 
in some public urls...


--------------
    SAMPLES
--------------

http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP?
action=login&ftemplate=[MORE CODE AND XSS]&requestURL="><h1>XSS%20in%
20PSOFT%20SPHERE<a%20href="&login=[USERNAME]&password=[PASSWORD]

http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/
[ID]/psoft.hsphere.CP?template_name=<H1>xss</H1>

http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/
[ID]/psoft.hsphere.CP?template_name=<IFRAME>

http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/
[ID]/psoft.hsphere.CP?template_name=<h1>XSS 

http://[TARGET]/[PATH TO H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/
[ID]/psoft.hsphere.CP?template_name=&lt;script&gt;alert
(document.cookie);&lt;/script&gt;


All urls that use the template and ftemplate / template_name url input 
are affected by this type of XSS attack .


-------------------------
| CONCLUSIONS AND NOTES |
-------------------------

All the urls that use this template incluion input are affected by this 
hole.
User data and cookies can be stoolen by this without permission.
In some conditions we can pass server-based commands.
The server can pick up sending specially crafted urls and input values .
We can enter other-user domain configurations passing an specific domain 
id value.

- I test this in the official psoft demo and run but recently they change 
the demo and don't allow me to enter the system.
The system says a Generic Error .  ;-).

-----------
| CONTACT |
-----------

Lorenzo Manuel Hernandez Garcia-Hierro
 --- Computer Security Analyzer ---
 --Nova Projects Professional Coding--
 PGP: Keyfingerprint
 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
 ID: 0x9C38E1D7
 **********************************
 www.novappc.com
 security.novappc.com
 www.lorenzohgh.com
 ______________________
 


Current thread: