SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   MaxWebPortal Vendors:   Yuan, Max
MaxWebPortal Input Validation Holes in 'events_functions' and 'links_add_form' Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013617
SecurityTracker URL:  http://securitytracker.com/id/1013617
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 31 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.33
Description:   Zinho of Hackers Center Security Group reported some input validation vulnerabilities in MaxWebPortal. A remote user can inject SQL commands and conduct cross-site scripting attacks.

The EVENT_ID parameter in the Update_Events function in 'events_functions.asp' is not properly validated. A remote user can supply a specially crafted value to execute SQL commands on the underlying database. A remote user can, for example, modify the PORTAL_EVENTS table values.

A demonstration exploit is available at:

http://www.hackerscenter.com/archive/view.asp?id=1807

The banner URL parameter in 'links_add_form.asp' is not properly validated. A remote user can submit a specially crafted value that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the MaxWebPortal software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MaxWebPortal software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.maxwebportal.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [HSC Security Group] MaxWebPortal XSS and SQL injection


--Alt-Boundary-201.11737377
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body

Hackers Center Security Group (http://www.hackerscenter.com/)  
Zinho's Security Advisory   


Title: MaxWebPortal 1.33  XSS and Sql injection
Risk: High
Date: 31/03/2005  
Vendor: Max Web portal http://www.maxwebportal.com



---  Let's begin with the Xss.
in page: links_add_form.asp anyone can provide a banner url such as: 
javascript:alert(document.cookie) and cause a session cookie stealing. This is a high risk 
vuln because a malicious hacker can steal session cookie stealthly by crafting a proper 
un-detected script.
Workaround: htmlencode of the input would be a starting point but not enough. A deep 
input sanitization is required. (banner_url parameter is supposed to be a remote url. Why 
not to check if it is a valid url?)


----  Sql Injection: 
A full Sql injection is possible due to an input validation error in function Update_Events 
in page events_functions.page. Parameter EVENT_ID passed wih POST is not properly 
validated and anyone can issue a POST with crafted params to inject sql or just change 
all the values of the table PORTAL_EVENTS.

Workaround: in events_functions.asp line 192 replace 
chkstring(Request.Form("EVENT_ID"), "message") with 

//
if isnumber(Request.Form("EVENT_ID")) then 
event_id=clng(Request.Form("EVENT_ID"))
else
response.end
//
Full Exploit here:
http://www.hackerscenter.com/archive/view.asp?id=1807



Probably Max Web Portal 1.33 is affected by other security issues. 
Vendor's site seems to be down and contacting them seems to be impossible.



Author:   
Zinho is webmaster and founder of http://www.hackerscenter.com ,  Security research 
portal 
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp

zinho-no-spam @ hackerscenter.com  


====>
Webmaster of
.:[ Hackers Center : Internet Security Portal]:.
http://www.hackerscenter.com
http://www.securityforge.com/web-hosting
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC