Maxwebportal versions 1.3.5 and prior suffer from cross site scripting and SQL injection vulnerabilities.
c732baf72d306d51db23d20c0c2a2595e9d7a50f70ca3a40434658131204af63--Alt-Boundary-12164.15822371
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
Hackers Center Security Group (http://www.hackerscenter.com/)
Zinho's Security Advisory
Desc: Maxwebportal 1.3.5 and prior
Risk: High
MaxWebPortal is probably the most spread ASP based web portal script.
I've found multiple XSS and Sql injection that could easily lead to password strealing or
portal defacement.
Proof of concept:
Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542
XSS :
--- Temporary XSS
1./post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext>
2. /post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext>
3. /post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext>
---- Permanent XSS
Try Posting using this url:
1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext>
SQL Injections:
1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not
checked. An SQL injection can be taken.
2. "txtAddress", "message" and "subject" parameters into post_info.asp are not sanitized.
3."andor" parameter added to the sql string on line 140 of search.asp
search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken
4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken
pop_profile.asp?verkey='
5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions
that use authentication through Cookies)
Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2
function
6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized
7. pm_delete2.asp - "Delete" parm is not sanitized
Venodr has been contacted one month ago.
They released the new version 1.3.6 that *should* (I've not checked) all the above.
Author:
Zinho is webmaster and founder of http://www.hackerscenter.com ,
Security research portal
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp
zinho-no-spam @ hackerscenter.com
====>
Webmaster of
.:[ Hackers Center : Internet Security Portal]:.
http://www.hackerscenter.com
http://www.securityforge.com/web-hosting
--Alt-Boundary-12164.15822371
Content-type: text/html; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
<?xml version="1.0" ?><html>
<head>
<title></title>
</head>
<body>
<div align="left"><font face="Arial"><span style="font-size:10pt">Hackers Center Security Group (</span></font><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.hackerscenter.com/</u></span></font><font
face="Arial"><span style="font-size:10pt">) </span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Zinho's Security Advisory </span></font></div>
<div align="left"><br/>
<font face="Arial"><span style="font-size:10pt">Desc: Maxwebportal 1.3.5 and prior</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Risk: High</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">MaxWebPortal is probably the most spread ASP based web portal script.</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">I've found multiple XSS and Sql injection that could easily lead to password strealing or
portal defacement.</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Proof of concept:</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">XSS :</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">--- Temporary XSS</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">1./post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext></span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">2. /post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext></span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">3. /post.asp?method=Topic&FORUM_ID=1&
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext></span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">---- Permanent XSS</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Try Posting using this url:</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext></span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">SQL Injections:</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not
checked. An SQL injection can be taken.</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">2. "txtAddress", "message" and "subject" parameters into post_info.asp are not
sanitized. </span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">3."andor" parameter added to the sql string on line 140 of search.asp</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">pop_profile.asp?verkey='</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions
that use authentication through Cookies)</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2
function</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">7. pm_delete2.asp - "Delete" parm is not sanitized</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Venodr has been contacted one month ago.</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">They released the new version 1.3.6 that *should* (I've not checked) all the above.</span></font></div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><br/>
</div>
<div align="left"><br/>
<font face="Arial"><span style="font-size:10pt">Author: </span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Zinho is webmaster and founder of </span></font><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.hackerscenter.com</u></span></font><font
face="Arial"><span style="font-size:10pt"> , </span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Security research portal </span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Secure Web Hosting Companies Reviewed: </span></font></div>
<div align="left"><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.securityforge.com/web-hosting/secure-web-hosting.asp</u></span></font><font face="Arial"><span
style="font-size:10pt"> </span></font></div>
<div align="left"><br/>
<font face="Arial"><span style="font-size:10pt">zinho-no-spam @ hackerscenter.com </span></font></div>
<div align="left"><br/></div>
<div align="left"><br/>
</div>
<div align="left"><font face="Arial"><span style="font-size:10pt">====></span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">Webmaster of</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">.:[ Hackers Center : Internet Security Portal]:.</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">http://www.hackerscenter.com</span></font></div>
<div align="left"><font face="Arial"><span style="font-size:10pt">http://www.securityforge.com/web-hosting</span></font></div>
<div align="left"><br/>
</div>
<div align="left"></div>
</body>
</html>
--Alt-Boundary-12164.15822371--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed