Advisory: SolusLabs - SolusVM
- Advisory date: 29/05/2012
- Vulnerability severity: HIGH
- Affected versions: 1.9.01 and previous versions
Solus Virtual Manager (SolusVM) is a powerful GUI based VPS management system with full OpenVZ, Linux KVM, Xen Paravirtualization and Xen HVM support. SolusVM allows you and your clients to manage a VPS cluster with security & ease.
SolusVM contains a vulnerability that allows remote, unauthenticated attackers to inject SQL commands (SQLi) on vulnerable installations of SolusVM.
The files "/admincp/login.php" and "/admin/adminverify.php " do not sufficiently sanitize user-supplied data for the COOKIE variables "SMVC" and "SMVD".
The user-supplied values are decrypted using the mcrypt blowfish functions, however there is no sanitization of the decrypted data. Combined with the default setting of display mysql errors turned on, this allows an attacker to brute force the encryption key and gain, for example, administrator rights using "'||1#". Other types of attacks are possible by modifying the sql injection value.
This vulnerability bypasses any kind of internal error logging/IP retry restrictions and allows an unlimited amount of tries.
Attached PHP PoC: solusvm-02.txt
- 14/03/2012: vulnerability reported to vendor
- 14/03/2012: vulnerability patched by vendor
- 29/05/2012: advisory released