De: "Ahmet Sabri ALPER" <s_alper@hotmail.com>
À: <bugtraq@securityfocus.com>
Objet: [ARL02-A03] DCP-Portal Cross Site Scripting Vulnerability
Date: vendredi 15 février 2002 18:28


+/--------\------- ALPER Research Labs -----/--------/+
+/---------\------  Security Advisory  ----/---------/+
+/----------\-----    ID: ARL02-A03    ---/----------/+
+/-----------\---- salper@olympos.org  --/-----------/+


Advisory Information
--------------------
Name               : DCP-Portal Cross Site Scripting 
Vulnerability
Software Package   : DCP-Portal
Vendor Homepage    : http://www.dcp-portal.com
Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7 
and probably all
                     previous versions.
Platforms          : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted   : 09/02/2002 (no reply)
Prior Problems     : N/A
Current Version    : 4.2 (vulnerable)


Summary
-------
DCP-Portal is a content management system with 
advanced features like 
web-based update, link, file, member management, 
poll, calendar, etc. 
Its main features include an admin panel to manage 
the entire site, a 
smart HTML editor to add news, content, and 
annoucements, the ability 
for members to submit news/content and write 
reviews, and much more. 
It's an open-source project, which is also supported 
by FreshMeat.

A Cross Site Scripting vulnerability exists in Dcp-
Portal.
This would allow a remote attacker to send 
information to victims 
from untrusted web servers, and make it look as if 
the information 
came from the legitimate server.


Details
-------
The attacker will first register, with probably an 
alphabetically 
first-coming username (eg: aaaaa). After registering, 
activating and  
logging in with the the account, he/she would request 
the Change Details 
form "http://www.dcp-portal_host/user_update.php".
There, he/she may change the job info, inserting 
arbitrary codes.
Example:
&lt;script&gt;alert("ALPERz was here!")&lt;/script&gt;
After applying this information, whenever any logged 
in member, requests 
the members page, this CSS vulnerability will take 
effect.

This CSS vulnerability, might also be exploitable, 
when a user first registers.

Solution
--------
Suggested Solution:
Strip HTML tags, and possibly other malicious code 
within user_update.php
Vendor did not care to reply or was unreachable.

Credits
-------
Discovered on 09, February, 2002 by Ahmet Sabri 
ALPER salper@olympos.org
Ahmet Sabri ALPER is the System Security Editor of 
PCLIFE Magazine.

Olympos Turkish Security Portal: 
http://www.olympos.org


References
----------
Product Web Page: http://www.dcp-portal.com 