[HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS
Hackers Center Security Group (http://www.hackerscenter.com/)
Zinho's Security Advisory
Desc: Maxwebportal 1.3.5 and prior
Risk: High
MaxWebPortal is probably the most spread ASP based web portal script.
I've found multiple XSS and Sql injection that could easily lead to password
strealing or portal defacement.
Proof of concept:
Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542
XSS :
--- Temporary XSS
1./post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext>
2. /post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext>
3. /post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext>
---- Permanent XSS
Try Posting using this url:
1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext>
SQL Injections:
1. fpassword parameter into function "ChkUser" defined into inc_functions.asp
is not checked. An SQL injection can be taken.
2. "txtAddress", "message" and "subject" parameters into post_info.asp are not
sanitized.
3."andor" parameter added to the sql string on line 140 of search.asp
search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken
4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can
be taken
pop_profile.asp?verkey='
5. SQL injection through Cookie alteration in pop_profile.asp (and all the
other functions that use authentication through Cookies)
Anyone can change the password in the cokie to "'" and inject sql in the
ChkUsr2 function
6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized
7. pm_delete2.asp - "Delete" parm is not sanitized
Venodr has been contacted one month ago.
They released the new version 1.3.6 that *should* (I've not checked) all the
above.
Author:
Zinho is webmaster and founder of http://www.hackerscenter.com ,
Security research portal
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp
zinho-no-spam @ hackerscenter.com