Go Back   InterWorx > SiteWorx > Bugs
Reload this Page InterWorx-CP Multiple HTMl Injection Vulnerabilities
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Rate Thread Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 08-27-2007, 03:58 PM
paulo paulo is offline
Registered User
  
Join Date: Feb 2006
Posts: 114
InterWorx-CP Multiple HTMl Injection Vulnerabilities
Hi've just came across this article about interworx 3.0.2:
http://www.hackerscenter.com/archive/view.asp?id=27884

I didn't do any testing, but this way hope to keep interworx guys informed for future upgrades

Regards

Copy > paste (article)
Quote:
[HSC] InterWorx-CP Multiple HTMl Injection Vulnerabilities

The InterWorx [COLOR=#003366 ! important][COLOR=#003366 ! important]Hosting[/COLOR][/COLOR] Control Panel (InterWorx-CP) is a dedicated server control panel. InterWorx suffers from multiple HTMl injection vulnerabilities. JavaScript and Cross site scripting are just few found vulns, more sophisticated attacks such as remote file inclusion or even
SQl injection may be possible. An attacker could exploit this vulnerability to have arbitrary script code execute in the context of the affected site. This may allow an attacker to steal cookie-based authentication credentials
and to launch other attacks.


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz


Remote: Yes
Local: Yes
Class: Input Validation Error



Products:

- InterWorx-CP [COLOR=#003366 ! important][COLOR=#003366 ! important]Webmaster[/COLOR][/COLOR] Level (SiteWorx) v3.0.2
- InterWorx-CP Server Admin Level (NodeWorx) v3.0.2

Vendor: InterWorx L.L.C. http://interworx.com


* Attackers can exploit these issues via a web client.



# Remote Holes:

/nodeworx/index.php/<Evil(XSS)-Code>

/siteworx/index.php/<Evil(XSS)-Code>


# Local Holes:

* (NodeWorx)

/nodeworx/nodeworx.php/<Evil-Code>
/nodeworx/users.php/<Evil-Code>
/nodeworx/lang.php/<Evil-Code>
/nodeworx/themes.php/<Evil-Code>
/nodeworx/setup.php/<Evil-Code>
/nodeworx/siteworx.php/<Evil-Code>
/nodeworx/packages.php/<Evil-Code>
/nodeworx/backup.php/<Evil-Code>
/nodeworx/import.php/<Evil-Code>
/nodeworx/scriptworx.php/<Evil-Code>
/nodeworx/resellers.php/<Evil-Code>
/nodeworx/reseller-packages.php/<Evil-Code>
/nodeworx/http.php/<Evil-Code>
/nodeworx/mail.php/<Evil-Code>
/nodeworx/ftp.php/<Evil-Code>
/nodeworx/mysql.php/<Evil-Code>
/nodeworx/sshd.php/<Evil-Code>
/nodeworx/nfs.php/<Evil-Code>
/nodeworx/cron.php/<Evil-Code>
/nodeworx/ip.php/<Evil-Code>
/nodeworx/firewall.php/<Evil-Code>
/nodeworx/updates.php/<Evil-Code>
/nodeworx/rrd.php/<Evil-Code>
/nodeworx/cluster.php/<Evil-Code>


* (SiteWorx)

/siteworx/siteworx.php/<Evil-Code>
/siteworx/users.php/<Evil-Code>
/siteworx/cron.php
/siteworx/prefs.php
/siteworx/ftp.php/<Evil-Code>
/siteworx/mysql.php/<Evil-Code>
/siteworx/domains.php/<Evil-Code>
/siteworx/htaccess.php/<Evil-Code>
/siteworx/scriptworx.php/<Evil-Code>
/siteworx/stats.php/<Evil-Code>
/siteworx/backup.php/<Evil-Code>
/siteworx/restore.php/<Evil-Code>
/siteworx/httpd.php/<Evil-Code>
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes Rate This Thread
Threaded Mode Threaded Mode
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 03:59 AM.

Contact Us - InterWorx - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.