[NEWS] Sphera HostingDirector and Final User Control Panel CSS, DoS and Session Hijacking
From: SecuriTeam (support_at_securiteam.com)
Date: 06/24/03
- Previous message: SecuriTeam: "[UNIX] myServer Vulnerable to Multiple Slashes Vulnerability (///..///)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 24 Jun 2003 18:58:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at canadasales@beyondsecurity.com
- - - - - - - - -
Sphera HostingDirector and Final User Control Panel CSS, DoS and Session
Hijacking
------------------------------------------------------------------------
SUMMARY
<http://www.Sphera.com> Sphera's HostingDirector comprises three
fundamental components that are integrated to provide rich offerings,
maximum control for resellers and site owners, and easy, centralized
administration of shared and dedicated environments running on Linux and
Microsoft Windows. Multiple vulnerabilities have been found in the product
allowing remote attackers to insert malicious HTML or JavaScript into
existing pages (allowing them to hijack existing connections), to shutdown
the server without requiring to be authenticated, and to recreate existing
session numbers (with this they can hijack them).
DETAILS
Cross Site Scripting Vulnerability
The following URLs will illustrate which scripts are vulnerable to cross
site scripting vulnerability:
http://[TARGET]/[INSTALLATION]/login/sm_login_screen.php?uid=">[XSS ATTACK
CODE]
http://[TARGET]/[INSTALLATION]/login/sm_login_screen.php?error=">[XSS
ATTACK CODE]
http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error=[XSS
ATTACK CODE]
http://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS
DOMAIN OR IP]
&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY CEST]
&vds_server_ip=">[XSS ATTACK CODE]
Session Hijack:
A cookie system is utilized by the server to determine whether a user has
logged on or not. This cookie mechanism stores a session id inside the
cookie. The session id generating mechanism is flawed, as it is not random
enough, allowing attackers the possibility to guess the next issued
number. By guessing the issued number an attacker can impersonate another
user and hijack his account.
The following are two consecutive session ids generated for two separate
logon process:
xx01xx01xxX
xx01xx02Xxx
The first session id only differs in two parts with the second session,
this indicates a poor session id randomization.
Denial of Service:
By making a POST request to the server, it is possible to bring down the
service without being required to authenticate:
http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php?[TARGET
USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_msg=Remote USER VDS restarted trough this kind of attack
Note that the Referer value is checked. Therefore you will need to fake
the value in order for this to work.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@lorenzohgh.com>
Lorenzo Manuel Hernandez Garcia-Hierro.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] myServer Vulnerable to Multiple Slashes Vulnerability (///..///)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: Examples of lost security when integrating (secure) SW
... A per-packet filtering IPS bridges traffic, ... tcp 5-tuples upon detection,
for diverse coverage. ... An attack is detected by the IDS, ... but recognizes an
attempt to hijack a session. ... (SecProg) - Re: secure file uploads and downloads
... Not sure if this is php related or not, ... allow uploads, ...
$_SESSION; it's up to you. ... and it works like a charm...right up to the point when i
hijack your ... (comp.lang.php) - Re: Session Hijacking Security
... cookies using which they can hijack your session. ... Ensure that a valid
session ID lasts only for a short interval. ... I guess "one time cookies" fall inot
this bracket? ... Really though HTTPS drops the risk a lot and a lot of these other ...
(Pen-Test) - Re: IIS6 - Can session id be manipulated?
... I've got a very persistent customer who claims, ... hijack another session
by changing the session id in your own session ... hiding other possibly identifiable information
to tie the cookie to. ... (microsoft.public.inetserver.iis.security) - Re: secure file uploads and downloads
... Not sure if this is php related or not, but i'd like to have certain users who have
the ability to upload files to my site, and others to download files. ... One flag says allow
uploads, ... store their login information in the $_SESSION variable. ...
Let's see you hijack ANY PHP session of mine. ... (comp.lang.php)
