TUCoPS :: Web :: Apps :: hack1918.htm

MaxWebPortal XSS, Sql Injection and Avatar ScriptCode Injection
XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal

 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 

Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal 

By: Manuel López 

Vendor Description:
MaxWebPortal is a web portal and online community system which includes 
advanced features such as web-based administration, poll, private/public 
events calendar, user customizable color themes, classifieds, user control 
panel, online pager, link, file, article, picture managers and much more. 

Software:
MaxWebPortal 

Severity:
Moderately critical 

Impact:
Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection. 

Description: 

 - -- Cross Site Scripting -- 

An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp' 
as well as the "SendTo" parameter in Personal Messages that allows arbitrary 
code execution on the client-side browser. 

Another XSS vulnerability exists in the script 'down.asp'.
">Back

This vulnerability exists via insufficient sanitization of the the HTTP_REFERER, an attacker can create false HTTP_REFERER headers which contain arbitrary HTML and script code. ">Back

- -- Sql Injection -- Another problem of sanitation in the "SendTo" parameter in Personal Messages could lead an attacker to inject SQL code to manipulate and disclose various information from the database. - -- Avatar ScriptCode Injection -- The problem is in the 'register' form, it doesn't perform input validation when inserting an image name of an Avatar into the database. This can be exploited by a malicious user to inject arbitrary HTML or scriptcode instead of an Avatar. This can be used for example to steal another user's cookies if the user visits a page where the attacker user's Avatar image would have been displayed. Solution: MaxWebPortal fixed the bugs Update to version 1.32 http://www.maxwebportal.com - ---- Credits ---- Manuel López ( mantra@gulo.org ) #IST Special Thank´s: -- Aklis -- gulo.org Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z.. and all the #IST staff. Excuse me for speaking English so badly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO v/5wnr9vEQs06foH8iXQ/NA= =/ESJ -----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH