[ARL02-A03] DCP-Portal Cross Site Scripting Vulnerability

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Fri Feb 15 2002 - 06:04:44 PST

Next message: Mandrake Linux Security Team: "MDKSA-2002:014 - ucd-snmp update"

Previous message: Ahmet Sabri ALPER: "[ARL02-A02] DCP-Portal Root Path Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+ +/---------\------ Security Advisory ----/---------/+ +/----------\----- ID: ARL02-A03 ---/----------/+ +/-----------\---- salperat_private --/-----------/+ Advisory Information -------------------- Name : DCP-Portal Cross Site Scripting Vulnerability Software Package : DCP-Portal Vendor Homepage : http://www.dcp-portal.com Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7 and probably all previous versions. Platforms : Linux Vulnerability Type : Input Validation Error Vendor Contacted : 09/02/2002 (no reply) Prior Problems : N/A Current Version : 4.2 (vulnerable) Summary ------- DCP-Portal is a content management system with advanced features like web-based update, link, file, member management, poll, calendar, etc. Its main features include an admin panel to manage the entire site, a smart HTML editor to add news, content, and annoucements, the ability for members to submit news/content and write reviews, and much more. It's an open-source project, which is also supported by FreshMeat. A Cross Site Scripting vulnerability exists in Dcp- Portal. This would allow a remote attacker to send information to victims from untrusted web servers, and make it look as if the information came from the legitimate server. Details ------- The attacker will first register, with probably an alphabetically first-coming username (eg: aaaaa). After registering, activating and logging in with the the account, he/she would request the Change Details form "http://www.dcp-portal_host/user_update.php". There, he/she may change the job info, inserting arbitrary codes. Example: <script>alert("ALPERz was here!")</script> After applying this information, whenever any logged in member, requests the members page, this CSS vulnerability will take effect. This CSS vulnerability, might also be exploitable, when a user first registers. Solution -------- Suggested Solution: Strip HTML tags, and possibly other malicious code within user_update.php Vendor did not care to reply or was unreachable. Credits ------- Discovered on 09, February, 2002 by Ahmet Sabri ALPER salperat_private Ahmet Sabri ALPER is the System Security Editor of PCLIFE Magazine. Olympos Turkish Security Portal: http://www.olympos.org References ---------- Product Web Page: http://www.dcp-portal.com

Next message: Mandrake Linux Security Team: "MDKSA-2002:014 - ucd-snmp update"
Previous message: Ahmet Sabri ALPER: "[ARL02-A02] DCP-Portal Root Path Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 11:03:33 PST