========================================================================= TeamIntell Security Advisory TISA2007-04-Public ------------------------------------------------------------------------- DVD Rental System multiple XSS and CSRF vulnerabilities ========================================================================= Release Date: 02.08.2007 Severity: Less critical Impact: Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) Status: Official patch available Software: DVD Rental System 5.1 (DRS) Vendor: http://www.dvdrentalsystem.com/ Disclosed: Edi Strosar (TeamIntell) Description: ============ DRS, an online DVD rental application, is vulnerable to multiple XSS and CSRF attacks. Proof of concept will not be publicly released. Details: ======== TeamIntell discovered multiple vulnerabilities in online DVD Rental System, which can be exploited by malicious users to conduct cross-site scripting[1] and cross-site request forgery[2] attacks: [1] DRS does not properly sanitize users supplied data before sending it to clients. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. [2] The script index.php allows users to perform certain actions via HTTP requests without performing validity checks to verify the request. This can be exploited to modify users's data or cancel subscription permanently. Note: in some cases CSRF attacks could be site specific. TeamIntell developed working PoC that affects users of one among DVD Rental System's business partners. The vulnerabilities are confirmed in DVD Rental System version 5.1. Other versions may be affected. Solution: ========= Vendor has reported that the DVD Rental System scripts are updated and patched. Customers should contact the vendor for details. References: =========== http://en.wikipedia.org/wiki/XSS http://en.wikipedia.org/wiki/Cross-site_request_forgery Timeline: ========= 20.07.2007 - vulnerabilities discovered 21.07.2007 - vendor informed 01.08.2007 - vendor reports that the scripts are updated and patched 02.08.2007 - public disclosure Contact: ======== Maldin d.o.o. Trzaska cesta 2 1000 Ljubljana - SI tel: +386 (0)590 70 170 fax: +386 (0)590 70 177 gsm: +386 (0)31 816 400 web: www.teamintell.com e-mail: info@teamintell.com Disclaimer: =========== The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. ========================================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/