by r0t,der4444,cembo,VietMafia

Friday, November 25, 2005

DRZES HMS 3.2 Multiple vuln.

DRZES HMS 3.2 - Hosting Management System -multiple SQL inj. vuln. and XSS vuln.

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://drzes.com/
affected version:3.2 and prior


Product description:

Increase your efficiency using the DRZES HMS. The DRZES HMS is packed with features perfect for the professional web hosting company. The HMS is an all-in-one solution featuring a robust control panel, the ability to manage all of your servers from one centralized location, allows your customers to manage all of their plans from one centralized location, fully customizable front-end, and customer control area including the control panel and much more. We do not brand our name on your site. More features include multiple billing gateways supported, multiple registrar API's supported, server monitoring, robust plan maintenance functions, bandwidth monitoring and more. If there's a specific feature you need before you purchase the drzes HMS or an additional API supported please let us know and we will promptly take care of your request.

Vuln. Description:

1. Multiple SQL injections vuln.
Input passed to the "plan_id" and "domain" parameter in "pop_accounts.php" ,"databases.php","ftp_users.php","crons.php","pass_dirs.php","zone_files.php",
"htaccess.php","software.php","domains.php","viewusage.php"
isn't properly sanitised before being used in a SQL query.
And input passed to the "invoiceID" parameter in "viewinvoice.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
And input passed to the "customerPlanID" parameter in "viewplan.php" and "listcharges.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
And input passed to the "ref_id" parameter in "referred_plans.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
/customers/domains.php?plan_id=[SQL]
/customers/viewinvoice.php?invoiceID=[SQL]
/customers/viewplan.php?customerPlanID=[SQL]
/customers/referred_plans.php?ref_id=[SQL]
/customers/referred_plans.php?sort=id&order=asc&ref_id=[SQL]
/customers/viewusage.php?plan_id=[SQL]
/customers/listcharges.php?customerPlanID=[SQL]
/customers/pop_accounts.php?plan_id=[SQL]
/customers/pop_accounts.php?plan_id=35&domain=[SQL]
/customers/databases.php?plan_id=[SQL]
/customers/databases.php?plan_id=35&domain=[SQL]
/customers/ftp_users.php?plan_id=[SQL]
/customers/ftp_users.php?plan_id=35&domain=[SQL]
/customers/crons.php?plan_id=[SQL]
/customers/crons.php?plan_id=35&domain=[SQL]
/customers/pass_dirs.php?plan_id=[SQL]
/customers/pass_dirs.php?plan_id=35&domain=[SQL]
/customers/zone_files.php?plan_id=[SQL]
/customers/zone_files.php?plan_id=35&domain=[SQL]
/customers/htaccess.php?plan_id=[SQL]
/customers/htaccess.php?plan_id=35&domain=[SQL]
/customers/software.php?plan_id=[SQL]
/customers/software.php?plan_id=35&domain=[SQL]


2. XSS vuln on Search domain aviabilty field.
into:
/customers/register_domain.php
Search domain aviability parameters when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew