Multiple Vulnerabilities In Max Web Portal

------------------------------------------

Discovery Date: 05/2003

Versions Vuln : All? / 1.30

Author's URL  : http://www.maxwebportal.com

                http://www.maxcanada.ca

Notify Status : Patch Available / Upgrade







Product Description

------------------------------------------

MaxWebPortal is a web portal and online community 

system which includes advanced features such as 

web-based administration, poll, private/public 

events calendar, user customizable color themes, 

classifieds, user control panel, online pager, 

link, file, article, picture managers and much 

more. Easy-to-use and powerful user interface 

allows members to add news, content, write reviews 

and share information among other registered users.





Vendor Status

------------------------------------------

The vendor was not only very quick and helpful with

replying, but they got a fix out just as quick. I must

say it was quite impressive :) As far as a fix goes,

here are two links to the patch.



http://www.gulftech.org/vuln/MaxWebPortal%201.30%20Patch.zip

http://www.maxwebportal.com



There will also be a new version of Max Web Portal released

this upcoming week, and will be available at www.maxwebportal.com

None of these patches have been tested by myself or any other

security researchers thus far, and it is not known if the holes

were fixed 100%, but time will tell :)





search.asp XSS Vulnerability

------------------------------------------

The Max Web Portal search utility is vulnerable

to cross site scripting attacks. All an attacker

has to do is break out of the input tags and enter

thier code of choice such as JS or VBS. Below is

an example of this vulnerability.



http://blah/search.asp?Search="><script>alert()</script>



Remember this vuln as I will later explain how it

can be used to aide an attacker to compromise user

and admin accounts.







Hidden Form Field Vulnerability

------------------------------------------

The Max Web Portal system seems to rely on hidden

form fields quite heavily. This is not really a problem

if done securely. However any user can perform some

admin actions by exploiting the use of these hidden fields.

For example, and attacker can deface a Max Web Portal

site by clicking the link to start a new topic, saving the

html file offline, and making a few changes. By adding the

following to the form any post an attacker makes will show 

up on the front page as a news item. (credits to pivot for 

finding this one :) )



A field with value=1 name=news



And this will also lock the topic



A field with name="lock" value="1"



Unfortunately this vuln can also be exploited by the scum of

the earth (spammers :( ) Below is an example of how a user

can send a private message to all members of the particular

Max Web Portal driven site



A field with name="allmem" value="true"



There may be other vulns like this that can be exploited. We

however quit bothering with looking after these were found. heh









Account Compromise Via Cookie Poisoning

------------------------------------------

Now this is where the earlier XSS vuln could come in very

handy to an attacker. Basically, by changing certain values

in the cookie file of a Max Portal Website an attacker can

assume the identity of anyone, even an admin. This however

is only possible if you have the encrypted password of a 

user. But by using the above XSS vuln or other methods, this 

can be accomplished quite easily. All an attacker has to do

is login as thierselves to obtain a valid sessionid. Then 

without logging out, close the browser and change thier name

and encrypted pass in the cookie to that of the identity they 

wish to assume. When they return to the site it will then

recognize them as the compromised user.









Database Compromise Vulnerability

------------------------------------------

This is taken directly from the Max Web Portal readme file explaining

the recommended post installation procedure. 

"Remember to change the default admin password by clicking on the Profile 

link in your Control Panel. For additional security, it is recommended to

change your database name. example: neptune.mdb" This is not safe as 

anyone with a CGI scanner can modify thier list to find a Max Web Portal

database. By default the database is located at this url



/database/db2000.mdb



And while it should be removed and placed in a non accessible directory, 

alot of times it isn't :( This is definately serious, as you do not need 

to decrypt the pass for it to be any use to you, as I demonstrated

earlier.









password.asp Password Reset Vulnerability

------------------------------------------

This is by far the most serious vuln of them all. While the cookie 

poisioning vuln will let you log in as anyone, your access is somewhat 

limited. However, by requesting a forgotten password, an attacker can 

then save the password reset page offline, edit the member id in the 

source code to the id number of the desired victim, and reset thier

password to one of thier liking, no questions asked. This leads to total

compromise of the webportal system. An attacker can even write a script

in a matter of minutes to reset the entire database to a pass of thier 

liking. I wrote a script like this during the research of this product 

but will not be releasing it to the public as im sure it will only be 

abused.







JeiAr







Credits

------------------------------------------

All credits go to JeiAr of GulfTech Computers & CSA and Pivot of the

CSA Security Research Team.