Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal

XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal

From: Manuel López <mantra_at_gulo.org>
Date: Tue, 10 Feb 2004 15:55:49 +0100

 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal

By: Manuel López

Vendor Description:
MaxWebPortal is a web portal and online community system which includes
advanced features such as web-based administration, poll, private/public
events calendar, user customizable color themes, classifieds, user control
panel, online pager, link, file, article, picture managers and much more.

Software:
MaxWebPortal

Severity:
Moderately critical

Impact:
Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection.

Description:

 - -- Cross Site Scripting --

An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp'
as well as the "SendTo" parameter in Personal Messages that allows arbitrary
code execution on the client-side browser.

Another XSS vulnerability exists in the script 'down.asp'.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>
This vulnerability exists via insufficient
sanitization of the the HTTP_REFERER, an attacker can create false
HTTP_REFERER headers which contain arbitrary HTML and script code.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>

 - -- Sql Injection --

Another problem of sanitation in the "SendTo" parameter in Personal Messages
could lead an attacker to inject SQL code to manipulate and disclose various
information from the database.

 - -- Avatar ScriptCode Injection --

The problem is in the 'register' form, it doesn't perform input validation
when inserting an image name of an Avatar into the database. This can be
exploited by a malicious user to inject arbitrary HTML or scriptcode instead
of an Avatar.
This can be used for example to steal another user's cookies if the user
visits a page where the attacker user's Avatar image would have been
displayed.

<select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0))
URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value
;">
<option
value="javascript:alert(document.cookie)">POC-Avatar</option></select>

Solution:
MaxWebPortal fixed the bugs
Update to version 1.32
http://www.maxwebportal.com

 - ---- Credits ----
Manuel López ( mantra_at_gulo.org ) #IST
Special Thank´s: -- Aklis -- gulo.org

Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z..
and all the #IST staff.

Excuse me for speaking English so badly.

 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1

iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO
v/5wnr9vEQs06foH8iXQ/NA=
=/ESJ
 -----END PGP SIGNATURE-----
Received on Feb 10 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]