[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060717073539.24739.qmail@securityfocus.com>
Date: 17 Jul 2006 07:35:39 -0000
From: binary.loc@...il.com
To: bugtraq@...urityfocus.com
Subject: osDate 1.1.7 multiple vulnerabilities
/*\ osDate 1.1.7 advisory /*\
Date of written Advisory:
-------------------------
July, 18 2006
Product:
--------
OSdate <= 1.1.7
Vendor:
-------
http://tufat.com/
Description:
------------
osDate is a full fledged dating script which can be eaily integrated with phpBB and flashChat, and provides various payment methods.
Exploit(s) / Vulnerability(ies):
--------------------------------
osDate 1.1.7 is prone to XSS attacks, which allow an attacker a method through which to steal cookies and deface user's profiles, as well as boost their own ratings by passing unreasonably large votes.
Two variables are not sanitized properly before being used.
here is a comment being written to the database, with no sanitization:
...
$db->query( $sql, array( USER_RATING_TABLE, $_SESSION['UserId'], $_GET['id'], '0', time(), $_GET['ratingid'], substr($_POST["txtcomment"],0,250), date("Y/m/d") ) );
...
The second problem exists in the rating. $_POST['txtrating'] is not checked to make sure it is a valid value. the string is simmply accepted and written to the database. Because the rating is decided based on an average of all of the ratings, passing a large rating (such as 100) will preserve a perfect 10 rating.
PoC(s):
-------
A user's page could be defaced by simply posting a comment with the following text:
<img src="NOEXIST.NULL" onerror="alert('XSS')">
When the user's profile comments are viewed, the alert/compramised page will appear.
As for the rating exploit:
<form method="post" action="http://site.com/showprofile.php?id=????&ratingid=?&action=rate">
<select name="txtrating">
<option value="100">Boost your rating!</option>
</select>
<input name="submit" class="formbutton" value="Submit Rating" type="submit">
Vendor Status:
--------------
Vendor was not informed before publication.
Solution:
---------
The vendor has yet to publish a solution for either exploit.
Credits:
--------
binaryloc
binaryloc[at]gmail[dot]com
http://binary.copyleftwriting.org
Powered by blists - more mailing lists