--Alt-Boundary-201.11737377 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Hackers Center Security Group (http://www.hackerscenter.com/) Zinho's Security Advisory Title: MaxWebPortal 1.33 XSS and Sql injection Risk: High Date: 31/03/2005 Vendor: Max Web portal http://www.maxwebportal.com --- Let's begin with the Xss. in page: links_add_form.asp anyone can provide a banner url such as: javascript:alert(document.cookie) and cause a session cookie stealing. This is a high risk vuln because a malicious hacker can steal session cookie stealthly by crafting a proper un-detected script. Workaround: htmlencode of the input would be a starting point but not enough. A deep input sanitization is required. (banner_url parameter is supposed to be a remote url. Why not to check if it is a valid url?) ---- Sql Injection: A full Sql injection is possible due to an input validation error in function Update_Events in page events_functions.page. Parameter EVENT_ID passed wih POST is not properly validated and anyone can issue a POST with crafted params to inject sql or just change all the values of the table PORTAL_EVENTS. Workaround: in events_functions.asp line 192 replace chkstring(Request.Form("EVENT_ID"), "message") with // if isnumber(Request.Form("EVENT_ID")) then event_id=clng(Request.Form("EVENT_ID")) else response.end // Full Exploit here: http://www.hackerscenter.com/archive/view.asp?id=1807 Probably Max Web Portal 1.33 is affected by other security issues. Vendor's site seems to be down and contacting them seems to be impossible. Author: Zinho is webmaster and founder of http://www.hackerscenter.com , Security research portal Secure Web Hosting Companies Reviewed: http://www.securityforge.com/web-hosting/secure-web-hosting.asp zinho-no-spam @ hackerscenter.com ====> Webmaster of .:[ Hackers Center : Internet Security Portal]:. http://www.hackerscenter.com http://www.securityforge.com/web-hosting --Alt-Boundary-201.11737377 Content-type: text/html; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body
Hackers Center Security Group (http://www.hackerscenter.com/) 
Zinho's Security Advisory  


Title: MaxWebPortal 1.33  XSS and Sql injection
Risk: High
Date: 31/03/2005 
Vendor: Max Web portal http://www.maxwebportal.com



---  Let's begin with the Xss.
in page: links_add_form.asp anyone can provide a banner url such as: javascript:alert(document.cookie) and cause a session cookie stealing. This is a high risk vuln because a malicious hacker can steal session cookie stealthly by crafting a proper un-detected script.
Workaround: htmlencode of the input would be a starting point but not enough. A deep input sanitization is required. (banner_url parameter is supposed to be a remote url. Why not to check if it is a valid url?)


----  Sql Injection:
A full Sql injection is possible due to an input validation error in function Update_Events in page events_functions.page. Parameter EVENT_ID passed wih POST is not properly validated and anyone can issue a POST with crafted params to inject sql or just change all the values of the table PORTAL_EVENTS.

Workaround: in events_functions.asp line 192 replace chkstring(Request.Form("EVENT_ID"), "message") with

//
if isnumber(Request.Form("EVENT_ID")) then
event_id=clng(Request.Form("EVENT_ID"))
else
response.end
//
Full Exploit here:
http://www.hackerscenter.com/archive/view.asp?id=1807



Probably Max Web Portal 1.33 is affected by other security issues.
Vendor's site seems to be down and contacting them seems to be impossible.



Author:  
Zinho is webmaster and founder of http://www.hackerscenter.com ,  Security research portal
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp

zinho-no-spam @ hackerscenter.com 


====>
Webmaster of
.:[ Hackers Center : Internet Security Portal]:.
http://www.hackerscenter.com
http://www.securityforge.com/web-hosting

--Alt-Boundary-201.11737377--