[HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS
From: Zinho <zinho@xxxxxxxxxxxxxxxxx>
Date: 11 May 2005 22:44:14 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Hackers Center Security Group (http://www.hackerscenter.com/)  
Zinho's Security Advisory  

Desc: Maxwebportal 1.3.5 and prior 
Risk: High 


MaxWebPortal is probably the most spread ASP based web portal script. 
I've found multiple XSS and Sql injection that could easily lead to password 
strealing or  portal defacement. 

Proof of concept: 

Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542 


XSS : 
--- Temporary XSS 
1./post.asp?method=Topic&FORUM_ID=1&  
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext> 

2. /post.asp?method=Topic&FORUM_ID=1&  
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext> 

3. /post.asp?method=Topic&FORUM_ID=1&  
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext> 


---- Permanent XSS 
Try Posting using this url: 
1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext> 






SQL Injections: 

1. fpassword parameter into function "ChkUser" defined into inc_functions.asp 
is not  checked. An SQL injection can be taken. 


2. "txtAddress", "message" and "subject" parameters into post_info.asp are not 
sanitized.  


3."andor" parameter added to the sql string on line 140 of search.asp 
search.asp?mode=DoIt  (Issued with method POST). An SQL injection can be taken 

4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can 
be taken 
pop_profile.asp?verkey=' 

5. SQL injection through Cookie alteration in pop_profile.asp (and all the 
other functions   that use authentication through Cookies) 

Anyone can change the password in the cokie to "'" and inject sql in the 
ChkUsr2  function 


6.  pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized 

7.  pm_delete2.asp - "Delete" parm is not sanitized 



Venodr has been contacted one month ago. 
They released the new version 1.3.6 that *should* (I've not checked) all the 
above. 




Author:  
Zinho is webmaster and founder of http://www.hackerscenter.com ,  
Security research portal  
Secure Web Hosting Companies Reviewed:  
http://www.securityforge.com/web-hosting/secure-web-hosting.asp  

zinho-no-spam @ hackerscenter.com

Prev by Date: Linux kernel ELF core dump privilege elevation
Next by Date: Re: TCP/IP implementations do not adequately validate ICMP error messages
Previous by thread: Re: Linux kernel ELF core dump privilege elevation
Next by thread: [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability
Index(es):
- Date
- Thread