Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: hack1918.htm

MaxWebPortal XSS, Sql Injection and Avatar ScriptCode Injection
XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal

Hash: SHA1 

Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal 

By: Manuel López 

Vendor Description:
MaxWebPortal is a web portal and online community system which includes 
advanced features such as web-based administration, poll, private/public 
events calendar, user customizable color themes, classifieds, user control 
panel, online pager, link, file, article, picture managers and much more. 


Moderately critical 

Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection. 


 - -- Cross Site Scripting -- 

An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp' 
as well as the "SendTo" parameter in Personal Messages that allows arbitrary 
code execution on the client-side browser. 

Another XSS vulnerability exists in the script 'down.asp'.

This vulnerability exists via insufficient sanitization of the the HTTP_REFERER, an attacker can create false HTTP_REFERER headers which contain arbitrary HTML and script code. ">Back

- -- Sql Injection -- Another problem of sanitation in the "SendTo" parameter in Personal Messages could lead an attacker to inject SQL code to manipulate and disclose various information from the database. - -- Avatar ScriptCode Injection -- The problem is in the 'register' form, it doesn't perform input validation when inserting an image name of an Avatar into the database. This can be exploited by a malicious user to inject arbitrary HTML or scriptcode instead of an Avatar. This can be used for example to steal another user's cookies if the user visits a page where the attacker user's Avatar image would have been displayed. Solution: MaxWebPortal fixed the bugs Update to version 1.32 - ---- Credits ---- Manuel López ( ) #IST Special Thank´s: -- Aklis -- Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z.. and all the #IST staff. Excuse me for speaking English so badly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO v/5wnr9vEQs06foH8iXQ/NA= =/ESJ -----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH