Advisory: Live http support (RHINO) 4.1 (Frontend) - XSS & Remote Change Password Author: Slotleet Email: Slotleet@Gmail.com Affected Software: Successfully tested on Live http support (RHINO) 4.1 Vendor URL: http://www.livesupportrhino.com Vendor Status: Not Fixed ========================== Vulnerability Description ========================== The Live http Support (RHINO) 4.1 (Backend) is prone to XSS & Remote Change Password ========================== PoC-Exploit ========================== // Non-Persistent XSS with "callback" Parameter in /include/proactive_cross.php (1) Under "callback" set your GET Parameter Callback to "><script>alert(document.cookie)</script> The Non-Persistent XSS will be executed for the Administrator in the browser (he directly logged in because you chatting with him) // Remote Change Password - with "Forgot.php" http://[target]/rhino/operator/index.php?p=forgot (1) in the forgot file there's no condition if the user logged in or not, so we can look deeply in the file in line (27-67) if ($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['newP'])) { $defaults = $_POST; $femail = filter_var($_POST['f_email'], FILTER_SANITIZE_EMAIL); $pass = $_POST['f_pass']; $newpass = $_POST['f_newpass']; if ($pass != $newpass) { $errors['e1'] = $tl['error']['e10']; } elseif (strlen($pass) <= '5') { $errors['e1'] = $tl['error']['e11']; } if ($defaults['f_email'] == '' || !filter_var($defaults['f_email'], FILTER_VALIDATE_EMAIL)) { $errors['e'] = $tl['error']['e3']; } $fwhen = 0; $user_check = $lsuserlogin->lsForgotpassword($femail, $fwhen); if ($user_check == true && count($errors) == 0) { // The new password encrypt with hash_hmac $passcrypt = hash_hmac('sha256', $pass, DB_PASS_HASH); $result2 = $lsdb->query('UPDATE '.DB_PREFIX.'user SET password = "'.$passcrypt.'", forgot = 0 WHERE email = "'.smartsql($femail).'"'); $result = $lsdb->query('SELECT username FROM '.DB_PREFIX.'user WHERE email = "'.smartsql($femail).'" LIMIT 1'); $row = $result->fetch_assoc(); if (!$result) { ls_redirect(JAK_PARSE_ERROR); } else { $lsuserlogin->lsLogin($row['username'], $pass, 0); ls_redirect(BASE_URL); } } else { $errorsf = $errors; } } So there is an MySQL Query to execute if the email in the database (Show up the change password settings). ALL YOU HAVE TO DO IS DISCOVER THE E-MAIL ADDRESS THAT PUTTED WHEN ADMIN INSTALLED THE SCRIPT. ========================== Solution ========================== Send activation code to the e-mail address. ========================== Disclosure Timeline ========================== 30-Jan-2014 - developer informed by email 30-Jan-2014 - Developer didn't Respond 31-Jan-2014 - Still Not Respond 06-Feb-2014 - Vulnerability Discovered ========================== Credits ========================== Vulnerabilities found and advisory written by Slotleet.