[24295] in bugtraq
[ARL02-A03] DCP-Portal Cross Site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (Ahmet Sabri ALPER)
Fri Feb 15 14:03:50 2002
Date: 15 Feb 2002 14:04:44 -0000
Message-ID: <20020215140444.22872.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
+/--------\------- ALPER Research Labs -----/--------/+
+/---------\------ Security Advisory ----/---------/+
+/----------\----- ID: ARL02-A03 ---/----------/+
+/-----------\---- salper@olympos.org --/-----------/+
Advisory Information
--------------------
Name : DCP-Portal Cross Site Scripting
Vulnerability
Software Package : DCP-Portal
Vendor Homepage : http://www.dcp-portal.com
Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7
and probably all
previous versions.
Platforms : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted : 09/02/2002 (no reply)
Prior Problems : N/A
Current Version : 4.2 (vulnerable)
Summary
-------
DCP-Portal is a content management system with
advanced features like
web-based update, link, file, member management,
poll, calendar, etc.
Its main features include an admin panel to manage
the entire site, a
smart HTML editor to add news, content, and
annoucements, the ability
for members to submit news/content and write
reviews, and much more.
It's an open-source project, which is also supported
by FreshMeat.
A Cross Site Scripting vulnerability exists in Dcp-
Portal.
This would allow a remote attacker to send
information to victims
from untrusted web servers, and make it look as if
the information
came from the legitimate server.
Details
-------
The attacker will first register, with probably an
alphabetically
first-coming username (eg: aaaaa). After registering,
activating and
logging in with the the account, he/she would request
the Change Details
form "http://www.dcp-portal_host/user_update.php".
There, he/she may change the job info, inserting
arbitrary codes.
Example:
<script>alert("ALPERz was here!")</script>
After applying this information, whenever any logged
in member, requests
the members page, this CSS vulnerability will take
effect.
This CSS vulnerability, might also be exploitable,
when a user first registers.
Solution
--------
Suggested Solution:
Strip HTML tags, and possibly other malicious code
within user_update.php
Vendor did not care to reply or was unreachable.
Credits
-------
Discovered on 09, February, 2002 by Ahmet Sabri
ALPER salper@olympos.org
Ahmet Sabri ALPER is the System Security Editor of
PCLIFE Magazine.
Olympos Turkish Security Portal:
http://www.olympos.org
References
----------
Product Web Page: http://www.dcp-portal.com
