Security Advisory: CONTROLzx HMS - Hosting Management System vuln.

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  XSS in ssLinks v1.22
  XSS in Calendar Event 3.0
  XSS in PowerNews
  [SA19392] Mambo AkoComment Module SQL Injection Vulnerabilities

From: r0t <krustevs_(at)_googlemail.com>
Date: 28.03.2006
Subject: CONTROLzx HMS - Hosting Management System vuln.

CONTROLzx HMS - Hosting Management System vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:http://front.controlzx.com/
affected versions:V.3.3.4 and prior
orginal advisory:
http://pridels.blogspot.com/2006/03/controlzx-hms-hosting-management.html
###############################################

Vuln. description:

CONTROLzx HMS contains a flaws that allows a remote cross site
scripting attacks.
Those flaws exists because input passed to "dedicatedPlanID" parameter
in "dedicated_order.php" and "sharedPlanID" parameter in
"shared_order.php" and "plan_id" parameter in
"/customers/server_management.php" isn't properly sanitised before
being returned to the user.
And input passed to email field in "/customers/forgotpass.php" isn't
properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to a loss of
integrity.

examples :

/shared_order.php?sharedPlanID=1[XSS]
/dedicated_order.php?dedicatedPlanID=1[XSS]
/customers/server_management.php?plan_id=1[XSS]

+

/small update/

As this software had few months ago another name "DRZES HMS" i was
reported about for multiple vuln. in DRZES HMS 3.2(Look at adtional
info.)
So here just for update is one from 3.2 version, wich isnt fixed in
last releases:

Input passed to search field in "/customers/register_domain.php" isn't
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

##############################################
DRZES HMS 3.2 - multiple SQL inj. and XSS vuln.
http://pridels.blogspot.com/2005/11/drzes-hms-32-multiple-vuln.html
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/