Code-Authors Welcome Guest | Login or Register

TITLE:
TeamSpeak Server Privilege Escalation and Cross-Site Scripting

SECUNIA ADVISORY ID:
SA25242

VERIFY ADVISORY:
http://secunia.com/advisories/25242/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting, Privilege escalation

WHERE:
From remote

SOFTWARE:
TeamSpeak 2.x
http://secunia.com/product/5832/

DESCRIPTION:
Gilberto Ficara has reported a security issue and some vulnerabilities
in TeamSpeak, which can be exploited by malicious users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks.

1) The problem is that it is possible for a Server Admin to grant
certain privileges like “AccessWebAdminServer”, “AdminAddServer”,
“AdminDeleteServer”, “AdminStartServer”, and “AdminStopServer” to
registered users. This can be exploited to create, start, stop, or
delete servers by creating a user and accessing certain administrative
pages as this user directly.

Successful exploitation requires Server Admin access to the application.

2) Input passed to the “error_title” and “error_text” parameters in
error_box.html and to the “ok_title” parameter in ok_box.html is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user’s browser
session in context of an affected site.

Successful exploitation requires that the user is currently logged in.

The vulnerabilities are confirmed in version 2.0.20.1. Other versions
may also be affected.

SOLUTION:
The vulnerabilities have reportedly been fixed in version 2.0.23.15
BETA.

Filter malicious characters and character sequences in a web proxy.
Grant only trusted users Super Admin privileges.

PROVIDED AND/OR DISCOVERED BY:
Gilberto Ficara

ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/062935.html

TITLE:
Nuked-Klan “X-Forwarded-For” SQL Injection Vulnerability

SECUNIA ADVISORY ID:
SA25165

VERIFY ADVISORY:
http://secunia.com/advisories/25165/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
Nuked-Klan 1.x
http://secunia.com/product/1015/

DESCRIPTION:
DarkFig has discovered a vulnerability in Nuked-Klan, which can be
exploited by malicious people to conduct SQL injection attacks.

Input passed in the “X-Forwarded-For” HTTP header in index.php and
potentially other files is not properly sanitised before being used in
SQL queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.

Successful exploitation allows administrator access. Note that this
further can be exploited to execute arbitrary PHP code.

The vulnerability is confirmed in version 1.7.6. Other versions may also
be vulnerable.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
DarkFig