[Archived content from justinsamuel.com

Vulnerability: AWBS magic_quotes_gpc “Off” SQL Injection and XSS

Posted on June 10, 2007, 9:01 am, by justin, under Vulnerabilities.

Advisory: AWBS magic_quotes_gpc “Off” SQL Injection and XSS Vulnerabilities
Release Date: 2007-06-10
Last Modified: 2007-07-26
Author: Justin Samuel [http://www.justinsamuel.com]

Application: AWBS < 2.6.0
Severity: Highly Critical
Impact: Disclosure of sensitive information
Cross site scripting
Vendor Status: Vendor released version 2.6.0 to address issue. Testing still needed to verify that issue is corrected.

Vendor: Total Online Solutions, Inc.
App. Website: http://www.awbs.com/
References: http://www.justinsamuel.com/2007/06/10/awbs-magic_quotes_gpc-off-sql-injection-and-xss-vulnerabilities/



Advanced Webhost Billing System (AWBS) contains multiple SQL injection and XSS
vulnerabilities due to a lack of user input validation.

The software is not vulnerable to these issues when running with PHP’s
magic_quotes_gpc setting “On”. The vendor states that magic_quotes_gpc “On” is
a requirement in one place in their installation guide. However, this setting
is not checked by the installer nor is it enforced by having the software
refuse to run with magic_quotes_gpc “Off”.

These vulnerabilities allow for any user with an account in the AWBS software
to perform SQL injection in numerous places. This can be done even with new
accounts created through the public side of AWBS that have no active services.

The available SQL injection attacks can be used to mine all information from
the AWBS database. This includes the following information:

* Root passwords to all servers used for hosting the websites of hosting
accounts sold through AWBS, resulting in multiple server compromise.
* Root passwords to all dedicated servers sold through AWBS, resulting in
multiple server compromise.
* Control panel usernames and passwords for all hosting accounts sold through
AWBS, resulting in multiple website compromise.
* Credit card information for all customers whose credit card info is stored in
AWBS, even if the administrative option to encrypt credit cards numbers
has been used. The encrypted credit card numbers are not safe because the
symmetric encryption key can also be obtained from the database.

Additionally, SQL injection attacks allow an attacker to bypass AWBS’s anti-XSS
input validation. The available XSS attacks allow an attacker to compromise the
AWBS administrator’s session id to gain full administrative access to AWBS.


Proof of Concept:

Proof of concept exploit code has been provided to the vendor for every attack
outlined in the description.


Disclosure Timeline:

2007-06-10: Informed AWBS developers of vulnerability details by email.

2007-07-26: Public disclosure.



Do not run AWBS with PHP’s magic_quotes_gpc setting “Off” until the vendor
releases a fix.