Bugtraq mailing list archives
XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal
From: "Manuel López" <mantra () gulo org>
Date: Tue, 10 Feb 2004 15:55:49 +0100
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal By: Manuel López
Vendor Description:MaxWebPortal is a web portal and online community system which includes advanced features such as web-based administration, poll, private/public events calendar, user customizable color themes, classifieds, user control panel, online pager, link, file, article, picture managers and much more.
Software:MaxWebPortal
Severity:Moderately critical
Impact:Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection. Description: - -- Cross Site Scripting -- An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp' as well as the "SendTo" parameter in Personal Messages that allows arbitrary code execution on the client-side browser.
Another XSS vulnerability exists in the script 'down.asp'. <a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p> This vulnerability exists via insufficientsanitization of the the HTTP_REFERER, an attacker can create false HTTP_REFERER headers which contain arbitrary HTML and script code. <a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p> - -- Sql Injection -- Another problem of sanitation in the "SendTo" parameter in Personal Messages could lead an attacker to inject SQL code to manipulate and disclose various information from the database. - -- Avatar ScriptCode Injection -- The problem is in the 'register' form, it doesn't perform input validation when inserting an image name of an Avatar into the database. This can be exploited by a malicious user to inject arbitrary HTML or scriptcode instead of an Avatar. This can be used for example to steal another user's cookies if the user visits a page where the attacker user's Avatar image would have been displayed. <select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0)) URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value ;"> <option value="javascript:alert(document.cookie)">POC-Avatar</option></select>
Solution: MaxWebPortal fixed the bugs Update to version 1.32http://www.maxwebportal.com
- ---- Credits ---- Manuel López ( mantra () gulo org ) #ISTSpecial ThankŽs: -- Aklis -- gulo.org Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z.. and all the #IST staff.
Excuse me for speaking English so badly. -----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.1
iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO v/5wnr9vEQs06foH8iXQ/NA= =/ESJ-----END PGP SIGNATURE-----
Current thread:
- XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal Manuel López (Feb 10)