|
|
|
|
|
GulfTech Computers strives to beat the price(s) of any other business around.
Check with us first as it just may save you some time and money. And who doesn't want to
save money? Please contact us with any questions or inquiries.
|
|
SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used
to find many hosts not on the public netblock. A very interesting tool to say the least.
Works on both Nix and Windows based systems. Get it now!
Download SubScan v1.2
|
|
|
You can use the form below to search our site. Just enter the keyword or keywords to search.
|
|
 |
|
Multiple Vulnerabilities In Max Web Portal
|
June 06, 2022
|
| Vendor |
: Max Web Portal |
| URL |
:
http://www.maxwebportal.com
|
| Version |
: MaxWebPortal 1.30 && Older |
| Risk |
: Multiple Vulnerabilities |
| BID |
:
http://www.securityfocus.com/bid/7837
|
Description:
MaxWebPortal is a web portal and online community
system which includes advanced features such as
web-based administration, poll, private/public
events calendar, user customizable color themes,
classifieds, user control panel, online pager,
link, file, article, picture managers and much
more. Easy-to-use and powerful user interface
allows members to add news, content, write reviews
and share information among other registered users.
|
Search XSS Vulnerability:
The Max Web Portal search utility is vulnerable
to cross site scripting attacks. All an attacker
has to do is break out of the input tags and enter
thier code of choice such as JS or VBS. Below is
an example of this vulnerability.
search.asp?Search="><script>alert(document.cookie)</script>
Remember this vuln as I will later explain how it
can be used to aide an attacker to compromise user
and admin accounts.
|
Hidden Form Field weakness:
The Max Web Portal system seems to rely on hidden
form fields quite heavily. This is not really a problem
if done securely. However any user can perform some
admin actions by exploiting the use of these hidden fields.
For example, and attacker can deface a Max Web Portal
site by clicking the link to start a new topic, saving the
html file offline, and making a few changes. By adding the
following to the form any post an attacker makes will show
up on the front page as a news item. (credits to pivot for
finding this one :) )
A field with value=1 name=news
And this will also lock the topic
A field with name="lock" value="1"
Unfortunately this vuln can also be exploited by the scum of
the earth (spammers :( ) Below is an example of how a user
can send a private message to all members of the particular
Max Web Portal driven site
A field with name="allmem" value="true"
There may be other vulns like this that can be exploited. We
however quit bothering with looking after these were found. heh
|
Cookie Authentication Bypass Vulnerability:
Now this is where the earlier XSS vuln could come in very
handy to an attacker. Basically, by changing certain values
in the cookie file of a Max Portal Website an attacker can
assume the identity of anyone, even an admin. This however
is only possible if you have the encrypted password of a
user. But by using the above XSS vuln or other methods, this
can be accomplished quite easily. All an attacker has to do
is login as thierselves to obtain a valid sessionid. Then
without logging out, close the browser and change thier name
and encrypted pass in the cookie to that of the identity they
wish to assume. When they return to the site it will then
recognize them as the compromised user.
|
Database Compromise Vulnerability:
This is taken directly from the Max Web Portal readme file explaining
the recommended post installation procedure.
"Remember to change the default admin password by clicking on the Profile link
in your Control Panel. For additional security, it is recommended to change your
database name. example: neptune.mdb"
This is not safe as anyone with a CGI scanner can modify thier list to
find a Max Web Portal database. By default the database is located at this url
/database/db2000.mdb
And while it should be removed and placed in a non accessible directory, alot of
times it isn't :( This is definately serious, as you do not need to decrypt
the pass for it to be any use to you, as I demonstrated earlier.
|
Password Reset Vulnerability:
This is by far the most serious vuln of them all. While the cookie poisioning vuln
will let you log in as anyone, your access is somewhat limited. However, by requesting
a forgotten password, an attacker can then save the password reset page offline, edit
the member id in the source code to the id number of the desired victim, and reset thier
password to one of thier liking, no questions asked. Here is an modified example.
<!-- MaxPortal Proof Of Concept Exploit - By JeiAr http://www.gulftech.org -->
<form action="http://localhost/password.asp?mode=reset" method="post">
User ID <input type="text" name="memId" value=""><br>
Pass #1 <input type="text" name="pass" size="25"><br>
Pass #2 <input type="text" name="pass2" size="25"><br>
<input type="submit" value="Submit">
</form>
<!-- MaxPortal Proof Of Concept Exploit - By JeiAr http://www.gulftech.org -->
This leads to total compromise of the webportal system. An attacker can even write a script
in a matter of minutes to reset the entire database to a pass of thier liking. I wrote a
script like this during the research of this product but will not be releasing it to the
public as im sure it will only be abused.
|
Solution:
Upgrade to version v3.4.04 or higher
|
Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
|
|
|
|
|
|
|
|
GulfTech Computers - Professional Computer Services 