GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe (SCOSA-2004.7)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities (SCOSA-2004.10)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges (SCOSA-2004.3)
SCO Security Advisory - UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. (SCOSA-2004.2)
Microsoft Security Bulletin Re-release, August 2004
Latest Vulnerabilities
OpenFTPD Format String Vulnerability
Fusion News Unauthorized Account Addition Vulnerability
Jaws 0.4 Authentication Bypass Vulnerability
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
LostBook v1.1 Javascript Execution Vulnerability
Latest Security News
Anti-spam spamvertisers agree to quit
Black Hat day 2 sounds security alarm
VPNs (Virtual Private Nightmares)
HNS Newsletter issue 224 has been released
Long-awaited IE patch (finally) arrives















Multiple Vulnerabilities In Max Web Portal
June 06, 2022


Vendor : Max Web Portal
URL : http://www.maxwebportal.com
Version : MaxWebPortal 1.30 && Older
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/7837


Description:
MaxWebPortal is a web portal and online community system which includes advanced features such as web-based administration, poll, private/public events calendar, user customizable color themes, classifieds, user control panel, online pager, link, file, article, picture managers and much more. Easy-to-use and powerful user interface allows members to add news, content, write reviews and share information among other registered users.


Search XSS Vulnerability:
The Max Web Portal search utility is vulnerable to cross site scripting attacks. All an attacker has to do is break out of the input tags and enter thier code of choice such as JS or VBS. Below is an example of this vulnerability.

search.asp?Search="><script>alert(document.cookie)</script>

Remember this vuln as I will later explain how it can be used to aide an attacker to compromise user and admin accounts.


Hidden Form Field weakness:
The Max Web Portal system seems to rely on hidden form fields quite heavily. This is not really a problem if done securely. However any user can perform some admin actions by exploiting the use of these hidden fields. For example, and attacker can deface a Max Web Portal site by clicking the link to start a new topic, saving the html file offline, and making a few changes. By adding the following to the form any post an attacker makes will show up on the front page as a news item. (credits to pivot for finding this one :) )

A field with value=1 name=news

And this will also lock the topic

A field with name="lock" value="1"

Unfortunately this vuln can also be exploited by the scum of the earth (spammers :( ) Below is an example of how a user can send a private message to all members of the particular Max Web Portal driven site

A field with name="allmem" value="true"

There may be other vulns like this that can be exploited. We however quit bothering with looking after these were found. heh


Cookie Authentication Bypass Vulnerability:
Now this is where the earlier XSS vuln could come in very handy to an attacker. Basically, by changing certain values in the cookie file of a Max Portal Website an attacker can assume the identity of anyone, even an admin. This however is only possible if you have the encrypted password of a user. But by using the above XSS vuln or other methods, this can be accomplished quite easily. All an attacker has to do is login as thierselves to obtain a valid sessionid. Then without logging out, close the browser and change thier name and encrypted pass in the cookie to that of the identity they wish to assume. When they return to the site it will then recognize them as the compromised user.


Database Compromise Vulnerability:
This is taken directly from the Max Web Portal readme file explaining the recommended post installation procedure.

"Remember to change the default admin password by clicking on the Profile link in your Control Panel. For additional security, it is recommended to change your database name. example: neptune.mdb"

This is not safe as anyone with a CGI scanner can modify thier list to find a Max Web Portal database. By default the database is located at this url

/database/db2000.mdb

And while it should be removed and placed in a non accessible directory, alot of times it isn't :( This is definately serious, as you do not need to decrypt the pass for it to be any use to you, as I demonstrated earlier.


Password Reset Vulnerability:
This is by far the most serious vuln of them all. While the cookie poisioning vuln will let you log in as anyone, your access is somewhat limited. However, by requesting a forgotten password, an attacker can then save the password reset page offline, edit the member id in the source code to the id number of the desired victim, and reset thier password to one of thier liking, no questions asked. Here is an modified example.

<!-- MaxPortal Proof Of Concept Exploit - By JeiAr http://www.gulftech.org -->
<form action="http://localhost/password.asp?mode=reset" method="post">
User ID <input type="text" name="memId" value=""><br>
Pass #1 <input type="text" name="pass" size="25"><br>
Pass #2 <input type="text" name="pass2" size="25"><br>
<input type="submit" value="Submit">
</form>
<!-- MaxPortal Proof Of Concept Exploit - By JeiAr http://www.gulftech.org -->

This leads to total compromise of the webportal system. An attacker can even write a script in a matter of minutes to reset the entire database to a pass of thier liking. I wrote a script like this during the research of this product but will not be releasing it to the public as im sure it will only be abused.


Solution:
Upgrade to version v3.4.04 or higher


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.






© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers