|
Buddy Zone Version 1.0.1=0D
=0D
Homepage:=0D
http://www.vastal.com/buddy-zone-social-networking-script.html=0D
=0D
Affected files:=0D
=0D
*Sending invitations=0D
*Profiles=0D
*Blogs=0D
*Journals=0D
*Posting comments=0D
*Posting in the forum=0D
*Sending mail=0D
*Creating a group=0D
view_sub_forum.php=0D
view_post.php=0D
view_classifieds.php=0D
view_ad.php=0D
view_event.php=0D
delete_event.php=0D
edit_event.php=0D
view_group.php=0D
*Posting a event=0D
-------------------------------------------------=0D
=0D
XSS vuln with session disclosure when signing up & sending invites:=0D
=0D
Data isn't sanatized before being generated here. For a PoC as your first name, last name, city etc, put . When sending an invite to people this XSS vuln is also displayed in the email it sends, since it says your first & last name.=0D
=0D
Screenshots:=0D
=0D
http://www.youfucktard.com/xsp/buddyzone1.jpg=0D
http://www.youfucktard.com/xsp/buddyzone2.jpg=0D
http://www.youfucktard.com/xsp/buddyzone3.jpg=0D
=0D
Since your name as well as other info shows up in your profile, viewing profiles also can create this XSS. Other input boxes in profiles that are vulnerable to this are:=0D
=0D
*Headline=0D
*About me=0D
*Like to meet me=0D
*Interests=0D
*Music=0D
*Movies=0D
*Television=0D
*Books=0D
*Hereos=0D
=0D
Basically, at this time, all input boxes when editing a profile are.=0D
=0D
-----------------------------------------------=0D
=0D
XSS vuln when posting comments in blogs and profiles:=0D
=0D
Same as above, data is not sanatized here either. For a PoC as a blog comment put:=0D
=0D
=0D
=0D
When comments is profiles this also works. For a PoC try putting:=0D
=0D
=0D
----------------------------------------------=0D
=0D
XSS vuln when posting in the forum:=0D
=0D
Same as above, with no filter evasion as your forum body input put:=0D
=0D
=0D
=0D
----------------------------------------------=0D
XSS vuln when posting a journal entry:=0D
=0D
Same as above, with no filter evasion as your journal entry or title put:=0D
=0D
=0D
=0D
------------------------------------------------=0D
XSS vuln when sending mail:=0D
=0D
Same as above, with no filter evasion, as your mail msg title and/or subject put:=0D
=0D
=0D
----------------------------------------=0D
=0D
XSS vuln when creating a group:=0D
=0D
Same as above with no evasion, as your group name or description put:=0D
=0D
=0D
=0D
------------------------------------------=0D
=0D
Full path disclosure via view_sub_forum.php.=0D
=0D
URL:=0D
http://www.example.com/view_sub_forum.php?main_cat='=0D
=0D
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /mounted-storage/home20b/sub001/sc20289-DAPC/domain/user/classes/forum.class.php on line 162=0D
=0D
More full path disclosures:=0D
=0D
http://www.example.com/view_classifieds.php?cat_id=8'=0D
http://www.example.com/view_ad.php?id=4'=0D
http://www.exmaple.com/view_event.php?event_id=8'=0D
http://www.example.com/delete_event.php?event_id='=0D
http://www.example.com/edit_event.php?event_id='=0D
http://www.exmaple.com/view_group.php?group_id='=0D
------------------------------------------------=0D
=0D
XSS vuln when posting a event:=0D
=0D
Data isn't sanatized here either, for a PoC as event name, description, or long description put:=0D
=0D
=0D
=0D
-----------------------------------------------=0D