[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS
From: Zinho <zinho () hackerscenter ! com>
Date: 2005-05-11 22:00:37
Message-ID: 20050511224414.22507.qmail () www ! securityfocus ! com
[Download RAW message or body]
Hackers Center Security Group (http://www.hackerscenter.com/)
Zinho's Security Advisory
Desc: Maxwebportal 1.3.5 and prior
Risk: High
MaxWebPortal is probably the most spread ASP based web portal script.
I've found multiple XSS and Sql injection that could easily lead to password \
strealing or portal defacement.
Proof of concept:
Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542
XSS :
--- Temporary XSS
1./post.asp?method=Topic&FORUM_ID=1& \
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext>
2. /post.asp?method=Topic&FORUM_ID=1& \
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext>
3. /post.asp?method=Topic&FORUM_ID=1& \
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext>
---- Permanent XSS
Try Posting using this url:
1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext>
SQL Injections:
1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not \
checked. An SQL injection can be taken.
2. "txtAddress", "message" and "subject" parameters into post_info.asp are not \
sanitized.
3."andor" parameter added to the sql string on line 140 of search.asp
search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken
4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be \
taken pop_profile.asp?verkey='
5. SQL injection through Cookie alteration in pop_profile.asp (and all the other \
functions that use authentication through Cookies)
Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2 \
function
6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized
7. pm_delete2.asp - "Delete" parm is not sanitized
Venodr has been contacted one month ago.
They released the new version 1.3.6 that *should* (I've not checked) all the above.
Author:
Zinho is webmaster and founder of http://www.hackerscenter.com ,
Security research portal
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp
zinho-no-spam @ hackerscenter.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic