You can use the form below to search our site. Just enter the
keywords to search.
Multiple Vulnerabilities In Max Web Portal
June 06, 2022
MaxWebPortal is a web portal and online community system which includes advanced
features such as web-based administration, poll, private/public events calendar,
user customizable color themes, classifieds, user control panel, online pager,
link, file, article, picture managers and much more. Easy-to-use and powerful user
interface allows members to add news, content, write reviews and share information
among other registered users.
Search XSS Vulnerability:
The Max Web Portal search utility is vulnerable to cross site scripting attacks. All
an attacker has to do is break out of the input tags and enter thier code of choice such
as JS or VBS. Below is an example of this vulnerability.
Remember this vuln as I will later explain how it can be used to aide an attacker to
compromise user and admin accounts.
Hidden Form Field weakness:
The Max Web Portal system seems to rely on hidden form fields quite heavily. This is not
really a problem if done securely. However any user can perform some admin actions by
exploiting the use of these hidden fields. For example, and attacker can deface a Max Web
Portal site by clicking the link to start a new topic, saving the html file offline, and
making a few changes. By adding the following to the form any post an attacker makes will
show up on the front page as a news item. (credits to pivot for finding this one :) )
A field with value=1 name=news
And this will also lock the topic
A field with name="lock" value="1"
Unfortunately this vuln can also be exploited by the scum of the earth (spammers :( )
Below is an example of how a user can send a private message to all members of the
particular Max Web Portal driven site
A field with name="allmem" value="true"
There may be other vulns like this that can be exploited. We however quit bothering with
looking after these were found. heh
Cookie Authentication Bypass Vulnerability:
Now this is where the earlier XSS vuln could come in very handy to an attacker. Basically,
by changing certain values in the cookie file of a Max Portal Website an attacker can
assume the identity of anyone, even an admin. This however is only possible if you have
the encrypted password of a user. But by using the above XSS vuln or other methods, this
can be accomplished quite easily. All an attacker has to do is login as thierselves to
obtain a valid sessionid. Then without logging out, close the browser and change thier
name and encrypted pass in the cookie to that of the identity they wish to assume. When
they return to the site it will then recognize them as the compromised user.
Database Compromise Vulnerability:
This is taken directly from the Max Web Portal readme file explaining the recommended post
"Remember to change the default admin password by clicking on the Profile link in your
Control Panel. For additional security, it is recommended to change your database name.
This is not safe as anyone with a CGI scanner can modify thier list to find a Max Web
Portal database. By default the database is located at this url
And while it should be removed and placed in a non accessible directory, alot of times it
isn't :( This is definately serious, as you do not need to decrypt the pass for it to be
any use to you, as I demonstrated earlier.
Password Reset Vulnerability:
This is by far the most serious vuln of them all. While the cookie poisioning vuln
will let you log in as anyone, your access is somewhat limited. However, by requesting
a forgotten password, an attacker can then save the password reset page offline, edit
the member id in the source code to the id number of the desired victim, and reset thier
password to one of thier liking, no questions asked. Here is an modified example.
MaxWebPortal Proof of Concept Exploit
This leads to total compromise of the webportal system. An attacker can even write a script
in a matter of minutes to reset the entire database to a pass of thier liking. I wrote a
script like this during the research of this product but will not be releasing it to the
public as im sure it will only be abused.
Upgrade to version v3.4.04 or higher
James Bercegay of the GulfTech Security Research Team.