[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ocPortal 9.0.16 Multiply XSS Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ocPortal 9.0.16 Multiply XSS Vulnerabilities
From: dennis.veninga@xxxxxxxxx
Date: Sun, 8 Mar 2015 19:30:04 GMT

# Exploit Title: ocPortal 9.0.16 Multiply XSS Vulnerabilities
# Google Dork: "Copyright (c) ocPortal 2011 "
# Date: 26-2-2015
# Exploit Author: Dennis Veninga
# Vendor Homepage: http://ocportal.com/
# Vendor contacted: 22-2-2015
# Fix: 
http://ocportal.com/site/news/view/security_issues/xss-vulnerability-patch.htm
# Version: 9.0.16
# Tested on: Firefox 36 & Chrome 38 / W8.1-x64

ocPortal ->
Version:                9.0.16
Type:                   XSS
Severity:               Critical
Info Exploit:           There are MANY possibilities to execute XSS on the new 
released ocPortal.

All XSS attacks are done by a new registered user, so no extra rights are 
given. It's all standard.

#######################################################
Events/Calendar, vulnerable to XSS attack:
URL:  http://{target}/ocportal/cms/index.php?page=cms_calendar&type=ad
Title & text field, enter XSS code in both fields. Somewhere else the title XSS 
is executed, and elsewhere the Text/info XSS code is executed.

When entering an XSS attack, on the events page, when mouse-over the just made 
event, it also reproduces an XSS.
URL: 
http://{target}/ocportal/index.php?page=calendar&type=misc&id=2015-02&view=month
XSS Vulnerability on the events which ALSO affects the Admin Panel, when Admin 
visits the panel and wants to edit it.
#######################################################

Poll, vulnerable to XSS-attack.
URL: http://{yourwebsite}/ocportal/cms/index.php?page=cms_polls&type=ad
Just fill some XSS-code into the fields. Publish and see the result
#######################################################

Forum, vulnerable to XSS-attack
URL: http://{target}/ocportal/forum/index.php?page=topics&type=new_topic&id=2

Creating a new topic with all the fields XSS-ed, performs the XSS attack when 
an user is browsing the homepage.
This is happening when the active topics are shown on the index page. 
But on the forum page itself, it isn't working.
#######################################################

New PT (private topic/private message), vulnerable to XSS-attack
URL: http://{target}/ocportal/forum/index.php?page=topics&type=new_pt

Now, because I got a new private message, this XSS is executed everywhere!!
#######################################################

Prev by Date: [security bulletin] HPSBGN03277 rev.1 - HP Virtualization Performance Viewer, Remote Execution of Code, Denial of Service (DoS) and Other Vulnerabilities
Next by Date: [ MDVSA-2015:056 ] rpm
Previous by thread: [security bulletin] HPSBGN03277 rev.1 - HP Virtualization Performance Viewer, Remote Execution of Code, Denial of Service (DoS) and Other Vulnerabilities
Next by thread: [ MDVSA-2015:056 ] rpm
Index(es):
- Date
- Thread