by r0t,der4444,cembo,VietMafia

Monday, March 27, 2006

CONTROLzx HMS - Hosting Management System vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://front.controlzx.com/
affected versions:V.3.3.4 and prior
###############################################

Vuln. description:


CONTROLzx HMS contains a flaws that allows a remote cross site scripting attacks.
Those flaws exists because input passed to "dedicatedPlanID" parameter in "dedicated_order.php" and "sharedPlanID" parameter in "shared_order.php" and "plan_id" parameter in "/customers/server_management.php" isn't properly sanitised before being returned to the user.
And input passed to email field in "/customers/forgotpass.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples :

/shared_order.php?sharedPlanID=1[XSS]
/dedicated_order.php?dedicatedPlanID=1[XSS]
/customers/server_management.php?plan_id=1[XSS]


+

/small update/

As this software had few months ago another name "DRZES HMS" i was reported about for multiple vuln. in DRZES HMS 3.2(Look at adtional info.)
So here just for update is one from 3.2 version, wich isnt fixed in last releases:

Input passed to search field in "/customers/register_domain.php" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


##############################################
DRZES HMS 3.2 - multiple SQL inj. and XSS vuln.
http://pridels.blogspot.com/2005/11/drzes-hms-32-multiple-vuln.html
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew