# Ariko-Security: Security Audits , Audyt bezpieczeństwa
# Advisory: 3/2011

============ { Ariko-Security - Advisory #3/1/2011 } =============

Tevs tube script multiple XSS vulnerabilities

Vendor's description of software and demo:
# http://www.bigdotmedia.com/tevs.php

Dork:
# N/a

Application Info:
# TEVS
# v1.2

Vulnerability Info:
# Type: XSS

Time Table:
# 24/12/2010 - Vendor notified
# 06/01/2011 - Release Date. (not fixed)

XSS:
#Input passed to the "vid" parameter in go.php is not properly sanitised before being returned to the user.
#Input passed to the "q" and "go" parameters in videos.php is not properly sanitised before being returned to the user.

Sample POC:
#http://server/videos.php?go=&q=%22%3E%3CiMg+SrC%3dx+OnErRoR%3dalert%2854733%29%3Ehttp://www.britic.com.

Solution:
# Input validation of vulnerable parameters should be corrected.

Credit:
# Discoverd By: Ariko-Security 2010