('binary' encoding is not supported, stored as-is) Multiple Vulnerabilities In Max Web Portal ------------------------------------------ Discovery Date: 05/2003 Versions Vuln : All? / 1.30 Author's URL : http://www.maxwebportal.com http://www.maxcanada.ca Notify Status : Patch Available / Upgrade Product Description ------------------------------------------ MaxWebPortal is a web portal and online community system which includes advanced features such as web-based administration, poll, private/public events calendar, user customizable color themes, classifieds, user control panel, online pager, link, file, article, picture managers and much more. Easy-to-use and powerful user interface allows members to add news, content, write reviews and share information among other registered users. Vendor Status ------------------------------------------ The vendor was not only very quick and helpful with replying, but they got a fix out just as quick. I must say it was quite impressive :) As far as a fix goes, here are two links to the patch. http://www.gulftech.org/vuln/MaxWebPortal%201.30%20Patch.zip http://www.maxwebportal.com There will also be a new version of Max Web Portal released this upcoming week, and will be available at www.maxwebportal.com None of these patches have been tested by myself or any other security researchers thus far, and it is not known if the holes were fixed 100%, but time will tell :) search.asp XSS Vulnerability ------------------------------------------ The Max Web Portal search utility is vulnerable to cross site scripting attacks. All an attacker has to do is break out of the input tags and enter thier code of choice such as JS or VBS. Below is an example of this vulnerability. http://blah/search.asp?Search="><script>alert()</script> Remember this vuln as I will later explain how it can be used to aide an attacker to compromise user and admin accounts. Hidden Form Field Vulnerability ------------------------------------------ The Max Web Portal system seems to rely on hidden form fields quite heavily. This is not really a problem if done securely. However any user can perform some admin actions by exploiting the use of these hidden fields. For example, and attacker can deface a Max Web Portal site by clicking the link to start a new topic, saving the html file offline, and making a few changes. By adding the following to the form any post an attacker makes will show up on the front page as a news item. (credits to pivot for finding this one :) ) A field with value=1 name=news And this will also lock the topic A field with name="lock" value="1" Unfortunately this vuln can also be exploited by the scum of the earth (spammers :( ) Below is an example of how a user can send a private message to all members of the particular Max Web Portal driven site A field with name="allmem" value="true" There may be other vulns like this that can be exploited. We however quit bothering with looking after these were found. heh Account Compromise Via Cookie Poisoning ------------------------------------------ Now this is where the earlier XSS vuln could come in very handy to an attacker. Basically, by changing certain values in the cookie file of a Max Portal Website an attacker can assume the identity of anyone, even an admin. This however is only possible if you have the encrypted password of a user. But by using the above XSS vuln or other methods, this can be accomplished quite easily. All an attacker has to do is login as thierselves to obtain a valid sessionid. Then without logging out, close the browser and change thier name and encrypted pass in the cookie to that of the identity they wish to assume. When they return to the site it will then recognize them as the compromised user. Database Compromise Vulnerability ------------------------------------------ This is taken directly from the Max Web Portal readme file explaining the recommended post installation procedure. "Remember to change the default admin password by clicking on the Profile link in your Control Panel. For additional security, it is recommended to change your database name. example: neptune.mdb" This is not safe as anyone with a CGI scanner can modify thier list to find a Max Web Portal database. By default the database is located at this url /database/db2000.mdb And while it should be removed and placed in a non accessible directory, alot of times it isn't :( This is definately serious, as you do not need to decrypt the pass for it to be any use to you, as I demonstrated earlier. password.asp Password Reset Vulnerability ------------------------------------------ This is by far the most serious vuln of them all. While the cookie poisioning vuln will let you log in as anyone, your access is somewhat limited. However, by requesting a forgotten password, an attacker can then save the password reset page offline, edit the member id in the source code to the id number of the desired victim, and reset thier password to one of thier liking, no questions asked. This leads to total compromise of the webportal system. An attacker can even write a script in a matter of minutes to reset the entire database to a pass of thier liking. I wrote a script like this during the research of this product but will not be releasing it to the public as im sure it will only be abused. JeiAr Credits ------------------------------------------ All credits go to JeiAr of GulfTech Computers & CSA and Pivot of the CSA Security Research Team.
This archive was generated by hypermail 2b30 : Fri Jun 06 2003 - 10:58:47 PDT