--Alt-Boundary-12164.15822371 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Hackers Center Security Group (http://www.hackerscenter.com/) Zinho's Security Advisory Desc: Maxwebportal 1.3.5 and prior Risk: High MaxWebPortal is probably the most spread ASP based web portal script. I've found multiple XSS and Sql injection that could easily lead to password strealing or portal defacement. Proof of concept: Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542 XSS : --- Temporary XSS 1./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&mod="> 2. /post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext> 3. /post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext> ---- Permanent XSS Try Posting using this url: 1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext> SQL Injections: 1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not checked. An SQL injection can be taken. 2. "txtAddress", "message" and "subject" parameters into post_info.asp are not sanitized. 3."andor" parameter added to the sql string on line 140 of search.asp search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken 4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken pop_profile.asp?verkey=' 5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions that use authentication through Cookies) Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2 function 6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized 7. pm_delete2.asp - "Delete" parm is not sanitized Venodr has been contacted one month ago. They released the new version 1.3.6 that *should* (I've not checked) all the above. Author: Zinho is webmaster and founder of http://www.hackerscenter.com , Security research portal Secure Web Hosting Companies Reviewed: http://www.securityforge.com/web-hosting/secure-web-hosting.asp zinho-no-spam @ hackerscenter.com ====> Webmaster of .:[ Hackers Center : Internet Security Portal]:. http://www.hackerscenter.com http://www.securityforge.com/web-hosting --Alt-Boundary-12164.15822371 Content-type: text/html; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body <?xml version="1.0" ?><html> <head> <title></title> </head> <body> <div align="left"><font face="Arial"><span style="font-size:10pt">Hackers Center Security Group (</span></font><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.hackerscenter.com/</u></span></font><font face="Arial"><span style="font-size:10pt">)&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">Zinho's Security Advisory&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </span></font></div> <div align="left"><br/> <font face="Arial"><span style="font-size:10pt">Desc: Maxwebportal 1.3.5 and prior</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">Risk: High</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">MaxWebPortal is probably the most spread ASP based web portal script.</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">I've found multiple XSS and Sql injection that could easily lead to password strealing or portal defacement.</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">Proof of concept:</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">XSS :</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">--- Temporary XSS</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">1./post.asp?method=Topic&amp;FORUM_ID=1&amp; CAT_ID=1&amp;Forum_Title=%00General+Chat&amp;mod=&quot;&gt;&lt;plaintext&gt;</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">2. /post.asp?method=Topic&amp;FORUM_ID=1&amp; CAT_ID=1&amp;Forum_Title=%00General+Chat&amp;M=&quot;&gt;&lt;plaintext&gt;</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">3. /post.asp?method=Topic&amp;FORUM_ID=1&amp; CAT_ID=1&amp;Forum_Title=%00General+Chat&amp;type=&quot;&gt;&lt;plaintext&gt;</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">---- Permanent XSS</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">Try Posting using this url:</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">1 ./post.asp?method=Topic&amp;FORUM_ID=1&amp; CAT_ID=1&amp;Forum_Title=http://&lt;plaintext&gt;</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">SQL Injections:</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">1. fpassword parameter into function &quot;ChkUser&quot; defined into inc_functions.asp is not checked. An SQL injection can be taken.</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">2. &quot;txtAddress&quot;, &quot;message&quot; and &quot;subject&quot; parameters into post_info.asp are not sanitized. </span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">3.&quot;andor&quot; parameter added to the sql string on line 140 of search.asp</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">search.asp?mode=DoIt&#160; (Issued with method POST). An SQL injection can be taken</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">pop_profile.asp?verkey='</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions that use authentication through Cookies)</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">Anyone can change the password in the cokie to &quot;'&quot; and inject sql in the ChkUsr2 function</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">6.&#160; pm_delete2.asp Sql injection on line 85 - &quot;Remove&quot; parm is not sanitized</span></font></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">7.&#160; pm_delete2.asp - &quot;Delete&quot; parm is not sanitized</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">Venodr has been contacted one month ago.</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">They released the new version 1.3.6 that *should* (I've not checked) all the above.</span></font></div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><br/> </div> <div align="left"><br/> <font face="Arial"><span style="font-size:10pt">Author:&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">Zinho is webmaster and founder of </span></font><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.hackerscenter.com</u></span></font><font face="Arial"><span style="font-size:10pt"> ,&#160;&#160;&#160;&#160;&#160;&#160; </span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">Security research&#160;&#160; portal&#160;&#160;&#160;&#160;&#160;&#160;&#160; </span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">Secure Web Hosting Companies Reviewed:&#160;&#160;&#160;&#160;&#160;&#160; </span></font></div> <div align="left"><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.securityforge.com/web-hosting/secure-web-hosting.asp</u></span></font><font face="Arial"><span style="font-size:10pt">&#160;&#160;&#160;&#160;&#160;&#160; </span></font></div> <div align="left"><br/> <font face="Arial"><span style="font-size:10pt">zinho-no-spam @ hackerscenter.com </span></font></div> <div align="left"><br/></div> <div align="left"><br/> </div> <div align="left"><font face="Arial"><span style="font-size:10pt">====&gt;</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">Webmaster of</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">.:[ Hackers Center : Internet Security Portal]:.</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">http://www.hackerscenter.com</span></font></div> <div align="left"><font face="Arial"><span style="font-size:10pt">http://www.securityforge.com/web-hosting</span></font></div> <div align="left"><br/> </div> <div align="left"></div> </body> </html> --Alt-Boundary-12164.15822371--