[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS
From:       Zinho <zinho () hackerscenter ! com>
Date:       2005-05-11 22:00:37
Message-ID: 20050511224414.22507.qmail () www ! securityfocus ! com
[Download RAW message or body]



Hackers Center Security Group (http://www.hackerscenter.com/)  
Zinho's Security Advisory  

Desc: Maxwebportal 1.3.5 and prior 
Risk: High 


MaxWebPortal is probably the most spread ASP based web portal script. 
I've found multiple XSS and Sql injection that could easily lead to password \
strealing or  portal defacement. 

Proof of concept: 

Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542 


XSS : 
--- Temporary XSS 
1./post.asp?method=Topic&FORUM_ID=1&  \
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext> 

2. /post.asp?method=Topic&FORUM_ID=1&  \
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext> 

3. /post.asp?method=Topic&FORUM_ID=1&  \
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext> 


---- Permanent XSS 
Try Posting using this url: 
1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext> 






SQL Injections: 

1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not  \
checked. An SQL injection can be taken. 


2. "txtAddress", "message" and "subject" parameters into post_info.asp are not \
sanitized.  


3."andor" parameter added to the sql string on line 140 of search.asp 
search.asp?mode=DoIt  (Issued with method POST). An SQL injection can be taken 

4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be \
taken  pop_profile.asp?verkey=' 

5. SQL injection through Cookie alteration in pop_profile.asp (and all the other \
functions   that use authentication through Cookies) 

Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2  \
function 


6.  pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized 

7.  pm_delete2.asp - "Delete" parm is not sanitized 



Venodr has been contacted one month ago. 
They released the new version 1.3.6 that *should* (I've not checked) all the above. 




Author:  
Zinho is webmaster and founder of http://www.hackerscenter.com ,  
Security research portal  
Secure Web Hosting Companies Reviewed:  
http://www.securityforge.com/web-hosting/secure-web-hosting.asp  

zinho-no-spam @ hackerscenter.com  


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic