[NT] HELM Management and Control System SQL Injection and XSS Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 11/03/04

  • Next message: SecuriTeam: "[UNIX] qwik-smtpd Format String Vulnerability" 
    To: list@securiteam.com
Date: 3 Nov 2004 17:10:28 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      HELM Management and Control System SQL Injection and XSS Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    " <http://helm.webhostautomation.com> Helm is a multi-server management
    and control system for Windows 2000 and 2003 based web hosts. The system
    is designed for any size web hosting companies, datacenters and ISPs,
    which require a solid platform that automates all of the day-to-day tasks
    that would otherwise require highly skilled man power, and large work
    forces."

    SQL injection and cross site scripting attacks are plausible in HELM due
    to lack of input validation in various fields of the "compose message"
    form.

    DETAILS

    Vulnerable Systems:
     * HELM version 3.1.19 and prior

    Immune Systems:
     * HELM version 3.1.20

    The HELM Messaging module is used by resellers to keep customers up to
    date with the latest information. System information messages can also be
    sent to the messaging service to inform resellers and users of any
    problems. Due to the lack of proper input validation in this module, it's
    possible both to inject SQL commands and malicious script to the system to
    gain "ADMIN" level access to the system.

    SQL Injection
    There is no input validation for the "messageToUserAccNum" parameter of
    the "compose message" form, facilitating execution of crafted SQL queries
    by passing arbitrary SQL code. By using a Man in The Middle HTTP tool,
    it's possible to inject SQL query in "messageToUserAccNum" value, in the
    form of:
            [username]',[messageid],[isread]); [arbitrary sql query];--

    For example, a user with reseller level access can send the following
    value that will add an account 'root' with ADMIN privilege and blank
    password to the account table in HELM database:
    xxxx',10,0); insert into
    account(accountnumber,accounttype,accountpassword) values('root',0,'');--

    Cross Site Scripting
    The malicious script code can be placed within the 'Subject' field of the
    'Compose Message' form. Since the code is unfiltered, viewing of the
    message by another user on the system will trigger the code.

    Vendor Status:
    The vendor has fixed the security issues and a newer version is available
    for download. Users are highly encouraged to upgrade to the latest
    version.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:bugtraq@hat-squad.com>
    Hat-Squad Security Team.
    The original article can be found at:
    <http://www.hat-squad.com/en/000077.html>
    http://www.hat-squad.com/en/000077.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] qwik-smtpd Format String Vulnerability"

    Relevant Pages