lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040210145549.25948.qmail@gulo.org>
Date: Tue, 10 Feb 2004 15:55:49 +0100
From: "Manuel López" <mantra@...o.org>
To: bugtraq@...urityfocus.com
Subject: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal


 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 

Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal 

By: Manuel López 

Vendor Description:
MaxWebPortal is a web portal and online community system which includes 
advanced features such as web-based administration, poll, private/public 
events calendar, user customizable color themes, classifieds, user control 
panel, online pager, link, file, article, picture managers and much more. 

Software:
MaxWebPortal 

Severity:
Moderately critical 

Impact:
Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection. 

Description: 

 - -- Cross Site Scripting -- 

An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp' 
as well as the "SendTo" parameter in Personal Messages that allows arbitrary 
code execution on the client-side browser. 

Another XSS vulnerability exists in the script 'down.asp'.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>
This vulnerability exists via insufficient
sanitization of the the HTTP_REFERER, an attacker can create false 
HTTP_REFERER headers which contain arbitrary HTML and script code.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p> 

 - -- Sql Injection -- 

Another problem of sanitation in the "SendTo" parameter in Personal Messages 
could lead an attacker to inject SQL code to manipulate and disclose various 
information from the database. 

 - -- Avatar ScriptCode Injection -- 

The problem is in the 'register' form, it doesn't perform input validation 
when inserting an image name of an Avatar into the database. This can be 
exploited by a malicious user to inject arbitrary HTML or scriptcode instead 
of an Avatar.
This can be used for example to steal another user's cookies if the user 
visits a page where the attacker user's Avatar image would have been 
displayed. 

<select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0)) 
URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value 
;">
<option 
value="javascript:alert(document.cookie)">POC-Avatar</option></select> 

Solution:
MaxWebPortal fixed the bugs
Update to version 1.32
http://www.maxwebportal.com 

 - ---- Credits ----
Manuel López ( mantra@...o.org ) #IST
Special ThankŽs: -- Aklis -- gulo.org 

Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z.. 
and all the #IST staff. 

Excuse me for speaking English so badly.

 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 

iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO
v/5wnr9vEQs06foH8iXQ/NA=
=/ESJ
 -----END PGP SIGNATURE----- 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ