OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Fri Feb 15 2002 - 08:04:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+
    +/---------\------ Security Advisory ----/---------/+
    +/----------\----- ID: ARL02-A03 ---/----------/+
    +/-----------\---- salperolympos.org --/-----------/+


    Advisory Information
    --------------------
    Name : DCP-Portal Cross Site Scripting
    Vulnerability
    Software Package : DCP-Portal
    Vendor Homepage : http://www.dcp-portal.com
    Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7
    and probably all
                         previous versions.
    Platforms : Linux
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 09/02/2002 (no reply)
    Prior Problems : N/A
    Current Version : 4.2 (vulnerable)


    Summary
    -------
    DCP-Portal is a content management system with
    advanced features like
    web-based update, link, file, member management,
    poll, calendar, etc.
    Its main features include an admin panel to manage
    the entire site, a
    smart HTML editor to add news, content, and
    annoucements, the ability
    for members to submit news/content and write
    reviews, and much more.
    It's an open-source project, which is also supported
    by FreshMeat.

    A Cross Site Scripting vulnerability exists in Dcp-
    Portal.
    This would allow a remote attacker to send
    information to victims
    from untrusted web servers, and make it look as if
    the information
    came from the legitimate server.


    Details
    -------
    The attacker will first register, with probably an
    alphabetically
    first-coming username (eg: aaaaa). After registering,
    activating and
    logging in with the the account, he/she would request
    the Change Details
    form "http://www.dcp-portal_host/user_update.php".
    There, he/she may change the job info, inserting
    arbitrary codes.
    Example:
    <script>alert("ALPERz was here!")</script>
    After applying this information, whenever any logged
    in member, requests
    the members page, this CSS vulnerability will take
    effect.

    This CSS vulnerability, might also be exploitable,
    when a user first registers.

    Solution
    --------
    Suggested Solution:
    Strip HTML tags, and possibly other malicious code
    within user_update.php
    Vendor did not care to reply or was unreachable.

    Credits
    -------
    Discovered on 09, February, 2002 by Ahmet Sabri
    ALPER salperolympos.org
    Ahmet Sabri ALPER is the System Security Editor of
    PCLIFE Magazine.

    Olympos Turkish Security Portal:
    http://www.olympos.org


    References
    ----------
    Product Web Page: http://www.dcp-portal.com