Dating biz@ dating script v1.0 - XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Dating biz@ dating script v1.0 - XSS
From: luny@xxxxxxxxxxxxxxx
Date: 22 Jun 2006 23:13:20 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Custom dating biz@ dating script v1.0

Homepage:
http://www.e-cbd.biz/php_dating_script.html

Affected files:

*Profiles
user_view.php
photo_create.php
---------------------------------

The edit profile form can be spoofed and a user can enter any data he wishes 
and it will update his profile. The "Choose an opening like and Pople say you 
look like" input boxes are the only ones that when entered, will be reviewed by 
the sites admin. Max char limit stored in the db for each profile box appears 
to be 36 chars EXCEPT for the input box "Special Cases". This box is where I 
will 

display our XSS example with the cookie info.

PoC:

<script>alert(document.cookie)</script>


Screenshots:

http://www.youfucktard.com/xsp/ebizdate1.jpg
http://www.youfucktard.com/xsp/ebizdate2.jpg
http://www.youfucktard.com/xsp/ebizdate3.jpg

-----------------------------------

XSS vuln via user_view.php:

http://www.example.com/user_view.php?u=<iframe%20src=http://ha.ckers.org/scriptlet.html>

----------------------------------

XSS vuln on photo_create.php.

Max char limit stored in db is only 32, but data isn't sanatized.

---------------------------------

Prev by Date: productcart soltan_defacer
Next by Date: WBB<<---v1.2 "showmods.php" SQL Injection
Previous by thread: productcart soltan_defacer
Next by thread: WBB<<---v1.2 "showmods.php" SQL Injection
Index(es):
- Date
- Thread