ID

VAR-201209-0281

CVE

CVE-2012-5004

TITLE

Parallels H-Sphere Cross-Site Request Forgery Vulnerability

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in Parallels H-Sphere 3.3 Patch 1 allow remote attackers to hijack the authentication of admins for requests that (1) add group plans via admin/group_plans.html or (2) add extra packages via admin/extra_packs/create_extra_pack.html. Parallels H-Sphere offers multi-server host automation solutions for Linux, BSD and Windows platforms. A cross-site request forgery vulnerability exists in Parallels H-Sphere. Allows an attacker to build a malicious URI, entice a user to resolve, and perform malicious actions in the target user context. H-Sphere includes its own controls panels, automated billing, and provisioning solution in a single integrated system. It is scalable to any number of boxes — more Web, mail, database, and Windows hosting servers can be added without downtime. Abstract: ========= A Vulnerability Laboratory researcher discovered multiple persistant cross site scripting vulnerabilities on Parallels H-Sphere 3.3 Patch1. Report-Timeline: ================ 2012-01-22: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistant cross site scripting vulnerabilities where detected on Parallels H-Sphere 3.3 Patch1. These vulnerabilities allow an remote attacker to hijack customer sessions via persistent cross site scripting. Successful exploitation can result in account steal, client side exploitation or phishing & session hijacking. These bugs are located on the admin panel of Parallels H-Sphere 3.3 Patch1. Vulnerbale Module(s): [+] Group Module [+] Extra Package Module Picture(s): ../1.png ../2.png Proof of Concept: ================= The vulnerability can be exploited by remote attackers with high account privileges(mod/admin) & required user inter action. For demonstration or reproduce ... [Poc 1] Open Link: http://demo.psoft.net/psoft/servlet/psoft.hsphere.CP/admin/1_0/psoft.hsphere.CP?template_name=admin/group_plans.html choose admin post xss on Group Name: <IFRAME SRC="javascript:alert('XSS');"></IFRAME> press add group. Result XSS! [Poc 2] Open link: http://demo.psoft.net/psoft/servlet/psoft.hsphere.CP/admin/1_0/psoft.hsphere.CP?template_name=admin/extra_packs/create_extra_pack.html Extra Pack Name put xss code: <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Extra Package Prices set fee 1 recurrent fee 1 just click submit you will see result. Risk: ===== The security risk of the persistant cross site scripting vulnerabilities are estimated as medium(-). Credits: ======== Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Parallels H-Sphere Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA47556 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47556/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47556 RELEASE DATE: 2012-01-24 DISCUSS ADVISORY: http://secunia.com/advisories/47556/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47556/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47556 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Vulnerability Lab has reported a vulnerability in Parallels H-Sphere, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. add extra packages and group plans and conduct script insertion attacks by tricking a logged in user into visiting a malicious web site. The vulnerability is reported in version 3.3 Patch 1. Other versions may also be affected. SOLUTION: Do not browse untrusted websites or follow untrusted links while logged in to the application. ORIGINAL ADVISORY: http://www.vulnerability-lab.com/get_content.php?id=392 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

cross-site request forgery

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

longrifle0x

SOURCES

LAST UPDATE DATE

2025-04-11T22:49:25.080000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE