Date: 3 Nov 2004 17:10:28 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NT] HELM Management and Control System SQL Injection and XSS Vulnerabilities
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HELM Management and Control System SQL Injection and XSS Vulnerabilities
------------------------------------------------------------------------
SUMMARY
" <http://helm.webhostautomation.com>; Helm is a multi-server management
and control system for Windows 2000 and 2003 based web hosts. The system
is designed for any size web hosting companies, datacenters and ISPs,
which require a solid platform that automates all of the day-to-day tasks
that would otherwise require highly skilled man power, and large work
forces."
SQL injection and cross site scripting attacks are plausible in HELM due
to lack of input validation in various fields of the "compose message"
form.
DETAILS
Vulnerable Systems:
* HELM version 3.1.19 and prior
Immune Systems:
* HELM version 3.1.20
The HELM Messaging module is used by resellers to keep customers up to
date with the latest information. System information messages can also be
sent to the messaging service to inform resellers and users of any
problems. Due to the lack of proper input validation in this module, it's
possible both to inject SQL commands and malicious script to the system to
gain "ADMIN" level access to the system.
SQL Injection
There is no input validation for the "messageToUserAccNum" parameter of
the "compose message" form, facilitating execution of crafted SQL queries
by passing arbitrary SQL code. By using a Man in The Middle HTTP tool,
it's possible to inject SQL query in "messageToUserAccNum" value, in the
form of:
[username]',[messageid],[isread]); [arbitrary sql query];--
For example, a user with reseller level access can send the following
value that will add an account 'root' with ADMIN privilege and blank
password to the account table in HELM database:
xxxx',10,0); insert into
account(accountnumber,accounttype,accountpassword) values('root',0,'');--
Cross Site Scripting
The malicious script code can be placed within the 'Subject' field of the
'Compose Message' form. Since the code is unfiltered, viewing of the
message by another user on the system will trigger the code.
Vendor Status:
The vendor has fixed the security issues and a newer version is available
for download. Users are highly encouraged to upgrade to the latest
version.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]>
Hat-Squad Security Team.
The original article can be found at:
<http://www.hat-squad.com/en/000077.html>;
http://www.hat-squad.com/en/000077.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
