XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal
From: "Manuel López" <mantra@xxxxxxxx>
Date: Tue, 10 Feb 2004 15:55:49 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortalBy: Manuel López

Vendor Description:

MaxWebPortal is a web portal and online community system which includesadvanced features such as web-based administration, poll, private/publicevents calendar, user customizable color themes, classifieds, user controlpanel, online pager, link, file, article, picture managers and much more.

Software:

MaxWebPortal

Severity:

Moderately critical

Impact:

Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection.Description:- -- Cross Site Scripting --An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp'as well as the "SendTo" parameter in Personal Messages that allows arbitrarycode execution on the client-side browser.

Another XSS vulnerability exists in the script 'down.asp'.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>
This vulnerability exists via insufficient

sanitization of the the HTTP_REFERER, an attacker can create falseHTTP_REFERER headers which contain arbitrary HTML and script code.<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>- -- Sql Injection --Another problem of sanitation in the "SendTo" parameter in Personal Messagescould lead an attacker to inject SQL code to manipulate and disclose variousinformation from the database.- -- Avatar ScriptCode Injection --The problem is in the 'register' form, it doesn't perform input validationwhen inserting an image name of an Avatar into the database. This can beexploited by a malicious user to inject arbitrary HTML or scriptcode insteadof an Avatar.This can be used for example to steal another user's cookies if the uservisits a page where the attacker user's Avatar image would have beendisplayed.<select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0))URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value;"><optionvalue="javascript:alert(document.cookie)">POC-Avatar</option></select>

Solution:
MaxWebPortal fixed the bugs
Update to version 1.32

http://www.maxwebportal.com

- ---- Credits ----
Manuel López ( mantra@xxxxxxxx ) #IST

Special Thank´s: -- Aklis -- gulo.orgKein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z..and all the #IST staff.

Excuse me for speaking English so badly.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1

iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO
v/5wnr9vEQs06foH8iXQ/NA=
=/ESJ

-----END PGP SIGNATURE-----

Prev by Date: Re: clamav 0.65 remote DOS exploit
Next by Date: Re: Hysterical first technical alert from US-CERT
Previous by thread: Directory traversal in RealPlayer allows code execution
Next by thread: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
Index(es):
- Date
- Thread