Date: Tue, 10 Feb 2004 15:55:49 +0100
From: Manuel =?iso-8859-15?Q?L=F3pez?= <[email protected]>
To: [email protected]Subject: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal
By: Manuel LСpez
Vendor Description:
MaxWebPortal is a web portal and online community system which includes
advanced features such as web-based administration, poll, private/public
events calendar, user customizable color themes, classifieds, user control
panel, online pager, link, file, article, picture managers and much more.
Software:
MaxWebPortal
Severity:
Moderately critical
Impact:
Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection.
Description:
- -- Cross Site Scripting --
An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp'
as well as the "SendTo" parameter in Personal Messages that allows arbitrary
code execution on the client-side browser.
Another XSS vulnerability exists in the script 'down.asp'.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>
This vulnerability exists via insufficient
sanitization of the the HTTP_REFERER, an attacker can create false
HTTP_REFERER headers which contain arbitrary HTML and script code.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>
- -- Sql Injection --
Another problem of sanitation in the "SendTo" parameter in Personal Messages
could lead an attacker to inject SQL code to manipulate and disclose various
information from the database.
- -- Avatar ScriptCode Injection --
The problem is in the 'register' form, it doesn't perform input validation
when inserting an image name of an Avatar into the database. This can be
exploited by a malicious user to inject arbitrary HTML or scriptcode instead
of an Avatar.
This can be used for example to steal another user's cookies if the user
visits a page where the attacker user's Avatar image would have been
displayed.
<select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0))
URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value
;">
<option
value="javascript:alert(document.cookie)">POC-Avatar</option></select>
Solution:
MaxWebPortal fixed the bugs
Update to version 1.32
http://www.maxwebportal.com
- ---- Credits ----
Manuel LСpez ( [email protected] ) #IST
Special Thank╢s: -- Aklis -- gulo.org
Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z..
and all the #IST staff.
Excuse me for speaking English so badly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1
iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO
v/5wnr9vEQs06foH8iXQ/NA=
=/ESJ
-----END PGP SIGNATURE-----
