lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060717073539.24739.qmail@securityfocus.com>
Date: 17 Jul 2006 07:35:39 -0000
From: binary.loc@...il.com
To: bugtraq@...urityfocus.com
Subject: osDate 1.1.7 multiple vulnerabilities

/*\ osDate 1.1.7 advisory /*\

Date of written Advisory:
-------------------------
July, 18 2006


Product:
--------
OSdate <= 1.1.7


Vendor:
-------
http://tufat.com/


Description:
------------
osDate is a full fledged dating script which can be eaily integrated with phpBB and flashChat, and provides various payment methods.


Exploit(s) / Vulnerability(ies):
--------------------------------
osDate 1.1.7 is prone to XSS attacks, which allow an attacker a method through which to steal cookies and deface user's profiles, as well as boost their own ratings by passing unreasonably large votes.

Two variables are not sanitized properly before being used.

here is a comment being written to the database, with no sanitization:

...
$db->query( $sql, array( USER_RATING_TABLE, $_SESSION['UserId'], $_GET['id'], '0', time(), $_GET['ratingid'], substr($_POST["txtcomment"],0,250), date("Y/m/d") ) );
...

The second problem exists in the rating.   $_POST['txtrating'] is not checked to make sure it is a valid value.  the string is simmply accepted and written to the database.  Because the rating is decided based on an average of all of the ratings, passing a large rating (such as 100) will preserve a perfect 10 rating.


PoC(s):
-------
A user's page could be defaced by simply posting a comment with the following text:
<img src="NOEXIST.NULL" onerror="alert('XSS')">

When the user's profile comments are viewed, the alert/compramised page will appear.


As for the rating exploit:
<form method="post" action="http://site.com/showprofile.php?id=????&amp;ratingid=?&amp;action=rate">
<select name="txtrating">
<option value="100">Boost your rating!</option>
</select>
<input name="submit" class="formbutton" value="Submit Rating" type="submit">


Vendor Status:
--------------
Vendor was not informed before publication.


Solution:
---------
The vendor has yet to publish a solution for either exploit.


Credits:
--------
binaryloc

binaryloc[at]gmail[dot]com

http://binary.copyleftwriting.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ