No account yet?
Home » HSC Research » Advisories » [HSC] MaxWebPortal Multiple SQL injection and XSS
[HSC] MaxWebPortal Multiple SQL injection and XSS E-mail
HSC Research Group - Advisories
Written by Hackers Center   
Wednesday, 11 May 2005 13:51
Hackers Center Security Group (http://www.hackerscenter.com/)
Zinho"s Security Advisory

Desc: Maxwebportal 1.3.5 and prior
Risk: High

MaxWebPortal is probably the most spread ASP based web portal script.
I"ve found multiple XSS and Sql injection that could easily lead to password strealing or portal defacement.

Proof of concept:

XSS :
--- Temporary XSS
1.http://localhost/asp/maxwebportal136/post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&mod="><br /><br />2. http://localhost/asp/maxwebportal136/post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext><br /><br />3. http://localhost/asp/maxwebportal136/post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext><br /><br /><br />---- Permanent XSS<br />Try Posting using this url:<br />1 post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext><br /><br /><br /><br /><br /><br /><br />SQL Injections:<br /><br />1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not checked. An SQL injection can be taken.<br /><br />2. "txtAddress", "message" and "subject" parameters into post_info.asp are not sanitized. <br /><br /><br />3."andor" parameter added to the sql string on line 140 of search.asp<br />search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken<br /><br />4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken<br />pop_profile.asp?verkey="<br /><br /><br />5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions that use authentication through Cookies)<br /><br />Anyone can change the password in the cokie to """ and inject sql in the ChkUsr2 function<br /><br /><br />6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized<br /><br />7. pm_delete2.asp - "Delete" parm is not sanitized<br /><br /><br /><br />Venodr has been contacted one month ago.<br />They released the new version 1.3.6 that *should* (I"ve not checked) all the above.<br /><br /><br /><br />Author: <br />Zinho is webmaster and founder of http://www.hackerscenter.com , <br />Security research portal <br />Secure Web Hosting Companies Reviewed: <br />http://www.securityforge.com/web-hosting/secure-web-hosting.asp <br /><br />zinho-no-spam @ hackerscenter.com <script language="JavaScript"> google_ad_client = "pub-2646645304267122"; google_max_num_ads = 3; google_feedback = "on"; google_ad_output = "js"; google_ad_type = "text"; google_image_size = "300x250"; google_encoding = "latin1"; google_ad_channel="2298472762"; </script> <script language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> </td> </tr> </table> <span class="article_separator">&nbsp;</span> </td> </tr> <tr valign="top"> <td><table cellpadding="0" cellspacing="0" width="100%" class="clearfix"> <tr valign="top"> <td><div class="null-0"></div></td> <td class="moduliki" style="width: 100%;"> <div class="moduletable"> <form action="http://www.hackerscenter.com/" method="post"> <div class="search"> <input name="searchword" id="mod_search_searchword" maxlength="20" alt="Search" class="inputbox" type="text" size="20" value="search..." onblur="if(this.value=='') this.value='search...';" onfocus="if(this.value=='search...') this.value='';" /> </div> <input type="hidden" name="task" value="search" /> <input type="hidden" name="option" value="com_search" /> </form> </div> </td> </tr> </table> </td> </tr> </table></td> <td class="null-1"><div class="null-1"></div></td> </tr> </table> <div class="clearfix"></div> <table cellpadding="0" cellspacing="0" id="downarea"> <tr valign="top"> <td> <div class="moduliki-l " style="width: 49.5% ;"> <div class="moduletable"> <h3>Security Services by HSC</h3> <center><a href="http://www.securitybrigade.com" border="0"><img src="/images/sblogo.jpg"></a></center> </div> </div> <div class="moduliki-l spacer" style="width: 49.5% ;"> <div class="moduletable"> <h3>Contact us</h3> <a href="mailto:armando@hackerscenter.com?Subject=Partner">Become partner</a><br> <a href="mailto:armando@hackerscenter.com?Subject=Advertisement">Advertise with us</a><br> <a href="mailto:armando@hackerscenter.com?Subject=Join">Join our staff</a><br> </div> </div> </td> </tr> </table> <div id="footer"><span id="info"> <!-- Footer Hyperlinks --> <!-- Copyright Information --> &copy; Armando Romeo - All rights reserved<br><br><br><br> <a href="https://advertising.digitalpoint.com/" rel="nofollow">Keyword Advertising</a> | <a href="https://advertising.digitalpoint.com/" rel="nofollow">Digital Point Ads</a> | <a href="https://advertising.digitalpoint.com/" rel="nofollow">Digital Point Advertising</a> | <a href="https://advertising.digitalpoint.com/" rel="nofollow">Advertising Auction</a> | <a href="https://advertising.digitalpoint.com/" rel="nofollow">Banner Ads</a> | <a href=http://www.elearnsecurity.com>IT Security course</a> | <a href=http://www.calciomercatojuve.com>Calciomercato Juve</a> </span></div> </div> </div> <!-- Start of StatCounter Code --> <script type="text/javascript"> sc_project=247727; sc_invisible=1; sc_partition=0; sc_security=""; </script> <script type="text/javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><div class="statcounter"><a title="hits counter" href="http://www.statcounter.com/" target="_blank"><img class="statcounter" src="http://c1.statcounter.com/247727/0//1/" alt="hits counter" ></a></div></noscript> <!-- End of StatCounter Code --> </body> </html>