XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal

["Manuel López" <mantra@gulo.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 

Title: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal 

By: Manuel López 

Vendor Description:
MaxWebPortal is a web portal and online community system which includes 
advanced features such as web-based administration, poll, private/public 
events calendar, user customizable color themes, classifieds, user control 
panel, online pager, link, file, article, picture managers and much more. 

Software:
MaxWebPortal 

Severity:
Moderately critical 

Impact:
Cross Site Scripting, Sql Injection, Avatar ScriptCode Injection. 

Description: 

- -- Cross Site Scripting -- 

An XSS vulnerability exists in the "sub_name" parameter of 'dl_showall.asp' 
as well as the "SendTo" parameter in Personal Messages that allows arbitrary 
code execution on the client-side browser. 

Another XSS vulnerability exists in the script 'down.asp'.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p>
This vulnerability exists via insufficient
sanitization of the the HTTP_REFERER, an attacker can create false 
HTTP_REFERER headers which contain arbitrary HTML and script code.
<a href="<% =Request.ServerVariables("HTTP_REFERER") %>">Back</font></a></p> 

- -- Sql Injection -- 

Another problem of sanitation in the "SendTo" parameter in Personal Messages 
could lead an attacker to inject SQL code to manipulate and disclose various 
information from the database. 

- -- Avatar ScriptCode Injection -- 

The problem is in the 'register' form, it doesn't perform input validation 
when inserting an image name of an Avatar into the database. This can be 
exploited by a malicious user to inject arbitrary HTML or scriptcode instead 
of an Avatar.
This can be used for example to steal another user's cookies if the user 
visits a page where the attacker user's Avatar image would have been 
displayed. 

<select name="Avatar_URL" size="4" onChange ="if (CheckNav(3.0,4.0)) 
URL.src=form.Avatar_URL.options[form.Avatar_URL.options.selectedIndex].value 
;">
<option 
value="javascript:alert(document.cookie)">POC-Avatar</option></select> 

Solution:
MaxWebPortal fixed the bugs
Update to version 1.32
http://www.maxwebportal.com 

- ---- Credits ----
Manuel López ( mantra@gulo.org ) #IST
Special ThankŽs: -- Aklis -- gulo.org 

Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SaRgE^, VeNt0r, Kr0n0z.. 
and all the #IST staff. 

Excuse me for speaking English so badly.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 

iD8DBQFAKC8plZD3/ZFHM4ERAvUuAJ9RBRGTfSurW9wbfXt8/6Rzmtw9dQCffJGO
v/5wnr9vEQs06foH8iXQ/NA=
=/ESJ
-----END PGP SIGNATURE-----