[<prev] [next>] [day] [month] [year] [list]
Date: 6 Jun 2003 16:31:41 -0000
From: JeiAr <jeiar@...ms.com>
To: bugtraq@...urityfocus.com
Subject: Critical Vulnerabilities In Max Web Portal
Multiple Vulnerabilities In Max Web Portal
------------------------------------------
Discovery Date: 05/2003
Versions Vuln : All? / 1.30
Author's URL : http://www.maxwebportal.com
http://www.maxcanada.ca
Notify Status : Patch Available / Upgrade
Product Description
------------------------------------------
MaxWebPortal is a web portal and online community
system which includes advanced features such as
web-based administration, poll, private/public
events calendar, user customizable color themes,
classifieds, user control panel, online pager,
link, file, article, picture managers and much
more. Easy-to-use and powerful user interface
allows members to add news, content, write reviews
and share information among other registered users.
Vendor Status
------------------------------------------
The vendor was not only very quick and helpful with
replying, but they got a fix out just as quick. I must
say it was quite impressive :) As far as a fix goes,
here are two links to the patch.
http://www.gulftech.org/vuln/MaxWebPortal%201.30%20Patch.zip
http://www.maxwebportal.com
There will also be a new version of Max Web Portal released
this upcoming week, and will be available at www.maxwebportal.com
None of these patches have been tested by myself or any other
security researchers thus far, and it is not known if the holes
were fixed 100%, but time will tell :)
search.asp XSS Vulnerability
------------------------------------------
The Max Web Portal search utility is vulnerable
to cross site scripting attacks. All an attacker
has to do is break out of the input tags and enter
thier code of choice such as JS or VBS. Below is
an example of this vulnerability.
http://blah/search.asp?Search="><script>alert()</script>
Remember this vuln as I will later explain how it
can be used to aide an attacker to compromise user
and admin accounts.
Hidden Form Field Vulnerability
------------------------------------------
The Max Web Portal system seems to rely on hidden
form fields quite heavily. This is not really a problem
if done securely. However any user can perform some
admin actions by exploiting the use of these hidden fields.
For example, and attacker can deface a Max Web Portal
site by clicking the link to start a new topic, saving the
html file offline, and making a few changes. By adding the
following to the form any post an attacker makes will show
up on the front page as a news item. (credits to pivot for
finding this one :) )
A field with value=1 name=news
And this will also lock the topic
A field with name="lock" value="1"
Unfortunately this vuln can also be exploited by the scum of
the earth (spammers :( ) Below is an example of how a user
can send a private message to all members of the particular
Max Web Portal driven site
A field with name="allmem" value="true"
There may be other vulns like this that can be exploited. We
however quit bothering with looking after these were found. heh
Account Compromise Via Cookie Poisoning
------------------------------------------
Now this is where the earlier XSS vuln could come in very
handy to an attacker. Basically, by changing certain values
in the cookie file of a Max Portal Website an attacker can
assume the identity of anyone, even an admin. This however
is only possible if you have the encrypted password of a
user. But by using the above XSS vuln or other methods, this
can be accomplished quite easily. All an attacker has to do
is login as thierselves to obtain a valid sessionid. Then
without logging out, close the browser and change thier name
and encrypted pass in the cookie to that of the identity they
wish to assume. When they return to the site it will then
recognize them as the compromised user.
Database Compromise Vulnerability
------------------------------------------
This is taken directly from the Max Web Portal readme file explaining
the recommended post installation procedure.
"Remember to change the default admin password by clicking on the Profile
link in your Control Panel. For additional security, it is recommended to
change your database name. example: neptune.mdb" This is not safe as
anyone with a CGI scanner can modify thier list to find a Max Web Portal
database. By default the database is located at this url
/database/db2000.mdb
And while it should be removed and placed in a non accessible directory,
alot of times it isn't :( This is definately serious, as you do not need
to decrypt the pass for it to be any use to you, as I demonstrated
earlier.
password.asp Password Reset Vulnerability
------------------------------------------
This is by far the most serious vuln of them all. While the cookie
poisioning vuln will let you log in as anyone, your access is somewhat
limited. However, by requesting a forgotten password, an attacker can
then save the password reset page offline, edit the member id in the
source code to the id number of the desired victim, and reset thier
password to one of thier liking, no questions asked. This leads to total
compromise of the webportal system. An attacker can even write a script
in a matter of minutes to reset the entire database to a pass of thier
liking. I wrote a script like this during the research of this product
but will not be releasing it to the public as im sure it will only be
abused.
JeiAr
Credits
------------------------------------------
All credits go to JeiAr of GulfTech Computers & CSA and Pivot of the
CSA Security Research Team.
Powered by blists - more mailing lists