Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

maxwebportalxss.txt

🗓️ 07 Aug 2005 00:00:00Reported by ZinhoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

Maxwebportal 1.3.5 and prior with high risk due to multiple XSS and SQL injection vulnerabilities, allowing password stealing and portal defacement. Working exploits at hackerscenter.com/archive/view.asp?id=254

Code
`--Alt-Boundary-12164.15822371  
Content-type: text/plain; charset=US-ASCII  
Content-transfer-encoding: 7BIT  
Content-description: Mail message body  
  
Hackers Center Security Group (http://www.hackerscenter.com/)   
Zinho's Security Advisory   
  
Desc: Maxwebportal 1.3.5 and prior  
Risk: High  
  
  
MaxWebPortal is probably the most spread ASP based web portal script.  
I've found multiple XSS and Sql injection that could easily lead to password strealing or   
portal defacement.  
  
Proof of concept:  
  
Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542  
  
  
XSS :  
--- Temporary XSS  
1./post.asp?method=Topic&FORUM_ID=1&   
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext>  
  
2. /post.asp?method=Topic&FORUM_ID=1&   
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext>  
  
3. /post.asp?method=Topic&FORUM_ID=1&   
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext>  
  
  
---- Permanent XSS  
Try Posting using this url:  
1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext>  
  
  
  
  
  
  
SQL Injections:  
  
1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not   
checked. An SQL injection can be taken.  
  
  
2. "txtAddress", "message" and "subject" parameters into post_info.asp are not sanitized.   
  
  
3."andor" parameter added to the sql string on line 140 of search.asp  
search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken  
  
4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken  
pop_profile.asp?verkey='  
  
5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions   
that use authentication through Cookies)  
  
Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2   
function  
  
  
6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized  
  
7. pm_delete2.asp - "Delete" parm is not sanitized  
  
  
  
Venodr has been contacted one month ago.  
They released the new version 1.3.6 that *should* (I've not checked) all the above.  
  
  
  
  
Author:   
Zinho is webmaster and founder of http://www.hackerscenter.com ,   
Security research portal   
Secure Web Hosting Companies Reviewed:   
http://www.securityforge.com/web-hosting/secure-web-hosting.asp   
  
zinho-no-spam @ hackerscenter.com   
  
  
====>  
Webmaster of  
.:[ Hackers Center : Internet Security Portal]:.  
http://www.hackerscenter.com  
http://www.securityforge.com/web-hosting  
  
  
  
--Alt-Boundary-12164.15822371  
Content-type: text/html; charset=US-ASCII  
Content-transfer-encoding: 7BIT  
Content-description: Mail message body  
  
<?xml version="1.0" ?><html>  
<head>  
<title></title>  
</head>  
<body>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Hackers Center Security Group (</span></font><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.hackerscenter.com/</u></span></font><font   
face="Arial"><span style="font-size:10pt">) </span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Zinho's Security Advisory </span></font></div>  
<div align="left"><br/>  
<font face="Arial"><span style="font-size:10pt">Desc: Maxwebportal 1.3.5 and prior</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Risk: High</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">MaxWebPortal is probably the most spread ASP based web portal script.</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">I've found multiple XSS and Sql injection that could easily lead to password strealing or   
portal defacement.</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Proof of concept:</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Working Exploits: http://www.hackerscenter.com/archive/view.asp?id=2542</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">XSS :</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">--- Temporary XSS</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">1./post.asp?method=Topic&FORUM_ID=1&   
CAT_ID=1&Forum_Title=%00General+Chat&mod="><plaintext></span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">2. /post.asp?method=Topic&FORUM_ID=1&   
CAT_ID=1&Forum_Title=%00General+Chat&M="><plaintext></span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">3. /post.asp?method=Topic&FORUM_ID=1&   
CAT_ID=1&Forum_Title=%00General+Chat&type="><plaintext></span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">---- Permanent XSS</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Try Posting using this url:</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">1 ./post.asp?method=Topic&FORUM_ID=1& CAT_ID=1&Forum_Title=http://<plaintext></span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">SQL Injections:</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">1. fpassword parameter into function "ChkUser" defined into inc_functions.asp is not   
checked. An SQL injection can be taken.</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">2. "txtAddress", "message" and "subject" parameters into post_info.asp are not   
sanitized. </span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">3."andor" parameter added to the sql string on line 140 of search.asp</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">search.asp?mode=DoIt (Issued with method POST). An SQL injection can be taken</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">4. verkey on line 132 of pop_profile.asp is not sanitized. An SQL injection can be taken</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">pop_profile.asp?verkey='</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">5. SQL injection through Cookie alteration in pop_profile.asp (and all the other functions   
that use authentication through Cookies)</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Anyone can change the password in the cokie to "'" and inject sql in the ChkUsr2   
function</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">6. pm_delete2.asp Sql injection on line 85 - "Remove" parm is not sanitized</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">7. pm_delete2.asp - "Delete" parm is not sanitized</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Venodr has been contacted one month ago.</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">They released the new version 1.3.6 that *should* (I've not checked) all the above.</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
</div>  
<div align="left"><br/>  
<font face="Arial"><span style="font-size:10pt">Author: </span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Zinho is webmaster and founder of </span></font><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.hackerscenter.com</u></span></font><font   
face="Arial"><span style="font-size:10pt"> , </span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Security research portal </span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Secure Web Hosting Companies Reviewed: </span></font></div>  
<div align="left"><font face="Arial" color="#008000"><span style="font-size:10pt"><u>http://www.securityforge.com/web-hosting/secure-web-hosting.asp</u></span></font><font face="Arial"><span   
style="font-size:10pt"> </span></font></div>  
<div align="left"><br/>  
<font face="Arial"><span style="font-size:10pt">zinho-no-spam @ hackerscenter.com </span></font></div>  
<div align="left"><br/></div>  
<div align="left"><br/>  
</div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">====></span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">Webmaster of</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">.:[ Hackers Center : Internet Security Portal]:.</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">http://www.hackerscenter.com</span></font></div>  
<div align="left"><font face="Arial"><span style="font-size:10pt">http://www.securityforge.com/web-hosting</span></font></div>  
<div align="left"><br/>  
</div>  
<div align="left"></div>  
</body>  
</html>  
  
--Alt-Boundary-12164.15822371--  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
maxwebportalhigh riskxsssql injectionpassword stealingportal defacementworking exploitshackerscenter.comsecurity advisory
31