[NEWS] Sphera HostingDirector and Final User Control Panel CSS, DoS and Session Hijacking

From: SecuriTeam (support_at_securiteam.com)
Date: 06/24/03

  • Next message: SecuriTeam: "[NEWS] SSI Vulnerability in Compaq Web Based Management Agent" 
    To: list@securiteam.com
Date: 24 Jun 2003 18:58:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      Sphera HostingDirector and Final User Control Panel CSS, DoS and Session
    Hijacking
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.Sphera.com> Sphera's HostingDirector comprises three
    fundamental components that are integrated to provide rich offerings,
    maximum control for resellers and site owners, and easy, centralized
    administration of shared and dedicated environments running on Linux and
    Microsoft Windows. Multiple vulnerabilities have been found in the product
    allowing remote attackers to insert malicious HTML or JavaScript into
    existing pages (allowing them to hijack existing connections), to shutdown
    the server without requiring to be authenticated, and to recreate existing
    session numbers (with this they can hijack them).

    DETAILS

    Cross Site Scripting Vulnerability
    The following URLs will illustrate which scripts are vulnerable to cross
    site scripting vulnerability:
    http://[TARGET]/[INSTALLATION]/login/sm_login_screen.php?uid=">[XSS ATTACK
    CODE]

    http://[TARGET]/[INSTALLATION]/login/sm_login_screen.php?error=">[XSS
    ATTACK CODE]

    http://[TARGET]/[INSTALLATION PATH]/login/sm_login_screen.php?error=[XSS
    ATTACK CODE]

    http://[TARGET]/[INSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS
    DOMAIN OR IP]
    &uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY CEST]
    &vds_server_ip=">[XSS ATTACK CODE]

    Session Hijack:
    A cookie system is utilized by the server to determine whether a user has
    logged on or not. This cookie mechanism stores a session id inside the
    cookie. The session id generating mechanism is flawed, as it is not random
    enough, allowing attackers the possibility to guess the next issued
    number. By guessing the issued number an attacker can impersonate another
    user and hijack his account.

    The following are two consecutive session ids generated for two separate
    logon process:
    xx01xx01xxX
    xx01xx02Xxx

    The first session id only differs in two parts with the second session,
    this indicates a poor session id randomization.

    Denial of Service:
    By making a POST request to the server, it is possible to bring down the
    service without being required to authenticate:
    http://[TARGET]/[INSTALLATION PATH]/dev/VDS/submitted.php?[TARGET
    USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_msg=Remote USER VDS restarted trough this kind of attack

    Note that the Referer value is checked. Therefore you will need to fake
    the value in order for this to work.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@lorenzohgh.com>
    Lorenzo Manuel Hernandez Garcia-Hierro.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] SSI Vulnerability in Compaq Web Based Management Agent"

    Relevant Pages

    • Re: Examples of lost security when integrating (secure) SW
      ... A per-packet filtering IPS bridges traffic, ... tcp 5-tuples upon detection, for diverse coverage. ... An attack is detected by the IDS, ... but recognizes an attempt to hijack a session. ...
      (SecProg)
    • Re: secure file uploads and downloads
      ... Not sure if this is php related or not, ... allow uploads, ... $_SESSION; it's up to you. ... and it works like a charm...right up to the point when i hijack your ...
      (comp.lang.php)
    • Re: Session Hijacking Security
      ... cookies using which they can hijack your session. ... Ensure that a valid session ID lasts only for a short interval. ... I guess "one time cookies" fall inot this bracket? ... Really though HTTPS drops the risk a lot and a lot of these other ...
      (Pen-Test)
    • Re: IIS6 - Can session id be manipulated?
      ... I've got a very persistent customer who claims, ... hijack another session by changing the session id in your own session ... hiding other possibly identifiable information to tie the cookie to. ...
      (microsoft.public.inetserver.iis.security)
    • Re: secure file uploads and downloads
      ... Not sure if this is php related or not, but i'd like to have certain users who have the ability to upload files to my site, and others to download files. ... One flag says allow uploads, ... store their login information in the $_SESSION variable. ... Let's see you hijack ANY PHP session of mine. ...
      (comp.lang.php)