DMXReady Members Area Manager Persistent XSS

vendor:

Members Area Manager

by:

L0rd CrusAd3r aka VSN

8,8

CVSS

HIGH

Persistent XSS

CWE

Product Name: Members Area Manager

Affected Version From: 2

Affected Version To: 2

Patch Exists: YES

Related CWE: N/A

CPE: cpe:a:dmxready:members_area_manager:2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

DMXReady Members Area Manager Persistent XSS

DMXReady Members Area Manager is vulnerable to persistent XSS. An attacker can inject malicious JavaScript code in the "Username" field of the login page. When a user visits the page, the malicious code will be executed in the user's browser. This can be used to steal the user's session cookie and hijack the user's session.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of DMXReady Members Area Manager.

Source

Exploit-DB raw data:

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title: DMXReady Members Area Manager Persistent XSS
Vendor url:http://www.dmxready.com/
Version:2
Price:295$
Published: 2010-09-06
GThanx to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic Bluehat,
M4n0j,NoCare,SeeMe, gunslinger, Th3 RDX.
Greetz to : Inj3ct0r Exploit DataBase (inj3ct0r.com)
Special Greetz: Topsecure.net,0xr00t.com,Andhrahackers.com
Shoutzz:- To all ICW & Inj3ct0r members.
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Description:

DMXReady Members Area Manager allows you to quickly create a whole area of
your website that is 'members only' so you can control who sees your
content!

    * Plug in automatically into DMXReady CMS or secure any web page on your
current ASP-enabled website with one line of script
    * Secure newsletter pages, organizational news, photo galleries,
paid-for content, and any online content you like
    * Unlimited security levels
    * Name your own levels i.e. "Visitor", "Member", "Subscriber", etc.
    * Easy-to-use Control Panel means anyone in the office can adjust
security settings
    * Members sign up themselves, which means less administration work for
you
    * Built-in member messaging feature - send to all members or only
certain groups
    * "Lost Password" feature sends password to members automatically
    * Fully open source so you can customize even further
    * Add in your own custom features


~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~

Vulnerability:

Persistent XSS :-

Step 1) Login into member or User Section

Link:

http://www.site.com/dmxreadyv2/membersareamanager/membersareamanager.asp?show=login-member

Step 2) Go to Edit profile

XSS Bug present in following

*)Contact Information

Address 2

*)Shipping Address

Address 2

*)Profile Details

Detail

Step 3) Enter your Attack Pattern

Step 4) Refresh and View User profile

Demo Url:-
http://www.site.com/dmxreadyv2/membersareamanager/membersareamanager.asp?member=&show=member-profile&tab=meta

~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~

# 0day n0 m0re #
# L0rd CrusAd3r #