lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 11 May 2005 22:44:14 -0000
From: Zinho <>
Subject: [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS

Hackers Center Security Group (  
Zinho's Security Advisory  

Desc: Maxwebportal 1.3.5 and prior 
Risk: High 

MaxWebPortal is probably the most spread ASP based web portal script. 
I've found multiple XSS and Sql injection that could easily lead to password strealing or  portal defacement. 

Proof of concept: 

Working Exploits: 

XSS : 
--- Temporary XSS 
1./post.asp?method=Topic&FORUM_ID=1&  CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext> 

2. /post.asp?method=Topic&FORUM_ID=1&  CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext> 

3. /post.asp?method=Topic&FORUM_ID=1&  CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext> 

---- Permanent XSS 
Try Posting using this url: 
1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext> 

SQL Injections: 

1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not  checked. An SQL injection can be taken. 

2. "txtAddress", "message" and "subject" parameters into post_info.asp are not sanitized.  

3."andor" parameter added to the sql string on line 140 of search.asp 
search.asp?mode=DoIt  (Issued with method POST). An SQL injection can be taken 

4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken 

5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions   that use authentication through Cookies) 

Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2  function 

6.  pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized 

7.  pm_delete2.asp - "Delete" parm is not sanitized 

Venodr has been contacted one month ago. 
They released the new version 1.3.6 that *should* (I've not checked) all the above. 

Zinho is webmaster and founder of ,  
Security research portal  
Secure Web Hosting Companies Reviewed:  

zinho-no-spam @  

Powered by blists - more mailing lists