November 4, 2004 -- (WEB HOST INDUSTRY REVIEW) -- According to Secunia (secunia.com), a group that monitors security vulnerabilites, two flaws in the Helm Web hosting control panel have been identified. Helm (helm.webhostautomation.com) is the Web hosting automation software from developer Webhostautomation (webhostautomation.com).
The vulnerabilities, rated "moderately critical," can be exploited to conduct SQL injection and script insertion attacks, Secunia said.
In the first vulnerability, according to Secunia, "Helm fails to verify input passed to the 'messageToUserAccNum' parameter in the 'compose message' form properly before it is used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code."
In the second vulnerability, "Input passed to the 'Subject' field in the 'compose message' form is not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in e.g. an administrator's browser session in context of an affected site when the malicious user data is viewed." Successful exploitation of both vulnerabilities requires reseller level access.
The vulnerabilities, discovered by Behrang Fouladi, have been reported in version 3.1.19. Other versions may also be affected, Secunia said.
