06-alternC-095.txt

`ground418 security advisory  
  
Date: 28-11-2006  
Subject: Multiple Vulnerabilities in AlternC version 0.9.5 (and below).  
Author: Vincent Audet Ménard <[email protected]>  
Original File:  
http://www.ground418.org/exploits/read.php?file=06-alternC-095.txt  
Related Files:  
http://dev.alternc.org/trac/alternc/changeset/1737  
http://dev.alternc.org/trac/alternc/changeset/1738  
http://dev.alternc.org/trac/alternc/changeset/1739  
  
Vendor: http://www.alternc.org/  
  
Vulnerabilities:  
- Possible XSS  
- Remote code execution  
- Unauthorized file and folder creation  
- Full file system reading access  
  
Risk: high  
  
  
-[ About alternC ]  
  
AlternC is a open source hosting services software suite. AlternC   
includes an automatic installation and configuration system, and a   
web-based control panel to manage users' accounts and web services   
(e.g. domains, emails, ftp accounts, statistics...).  
  
-[ Remote code execution ]  
  
It is possible to execute javascript by creating a directory with the   
file manager of AlternC.  
Simply create a folder called   
"<script>alert(document.cookie);</script>" to have a demonstration.  
This could also lead to a path disclosure if php is set to show   
warnings.  
  
Once the users used the phpmyadmin in alternC, the SQL password can be   
seen (in plain text) in the cookie. This could lead to a SQL password   
steal if used with a XSS.  
  
-[ Unauthorized folder and file creation ]  
  
You can create folders and files pretty much anywhere the alternC have   
the right to do so simply by entering a filename like "../../test" in   
the "create name" input.  
  
-[ Full FileSystem reading access ]  
  
When configuring a subdomain, you can indicate that the files will be   
locally managed in a specific folder. You can configure your subdomain   
to have the web root in "../../../../../" so that you  
have complete access in reading (with the apache/alternC user   
restriction) to the file system.  
  
-[ Solution ]  
  
Except for the SQL password visible in plain text, all these flaws are   
because of a bad inputs sanitazation. Double dots and slashes should   
not be permitted anywhere. The form's input in ('admin/bro_main.php',   
'admin/dom_subedit.php', 'admin/dom_add.php') were causing the most   
critical flaws.  
  
AlternC developers have been alerted few days ago and they released a   
new version. We highly recommend you to stop using 0.9.5 and consider   
upgrading to the newest version.  
  
Version 0.9.6 is available at   
https://dev.alternc.org/trac/alternc/milestone/0.9.6  
  
Vincent A. Menard  
`