[ARL02-A03] DCP-Portal Cross Site Scripting Vulnerability

2002-02-15T00:00:00
ID SECURITYVULNS:DOC:2505
Type securityvulns
Reporter Securityvulns
Modified 2002-02-15T00:00:00

Description

+/--------\------- ALPER Research Labs -----/--------/+

+/---------\------ Security Advisory ----/---------/+

+/----------\----- ID: ARL02-A03 ---/----------/+

+/-----------\---- salper@olympos.org --/-----------/+

Advisory Information


Name : DCP-Portal Cross Site Scripting

Vulnerability

Software Package : DCP-Portal

Vendor Homepage : http://www.dcp-portal.com

Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7

and probably all

                 previous versions.

Platforms : Linux

Vulnerability Type : Input Validation Error

Vendor Contacted : 09/02/2002 (no reply)

Prior Problems : N/A

Current Version : 4.2 (vulnerable)

Summary


DCP-Portal is a content management system with

advanced features like

web-based update, link, file, member management,

poll, calendar, etc.

Its main features include an admin panel to manage

the entire site, a

smart HTML editor to add news, content, and

annoucements, the ability

for members to submit news/content and write

reviews, and much more.

It's an open-source project, which is also supported

by FreshMeat.

A Cross Site Scripting vulnerability exists in Dcp-

Portal.

This would allow a remote attacker to send

information to victims

from untrusted web servers, and make it look as if

the information

came from the legitimate server.

Details


The attacker will first register, with probably an

alphabetically

first-coming username (eg: aaaaa). After registering,

activating and

logging in with the the account, he/she would request

the Change Details

form "http://www.dcp-portal_host/user_update.php".

There, he/she may change the job info, inserting

arbitrary codes.

Example:

<script>alert("ALPERz was here!")</script>

After applying this information, whenever any logged

in member, requests

the members page, this CSS vulnerability will take

effect.

This CSS vulnerability, might also be exploitable,

when a user first registers.

Solution


Suggested Solution:

Strip HTML tags, and possibly other malicious code

within user_update.php

Vendor did not care to reply or was unreachable.

Credits


Discovered on 09, February, 2002 by Ahmet Sabri

ALPER salper@olympos.org

Ahmet Sabri ALPER is the System Security Editor of

PCLIFE Magazine.

Olympos Turkish Security Portal:

http://www.olympos.org

References


Product Web Page: http://www.dcp-portal.com