# Ariko-Security: Security Audits / Advisories

============ { Ariko-Security - Advisory #1/7/2012 } =============

OxWall 1.4.0 Cross-site scripting (XSS)

Vendor's description of software and download:
# Oxwall Foundation http://www.oxwall.org/

Dork:
# N/a

Application Info:
#OxWall 1.4.0 (last)

Vulnerability Info:
# Type: XSS

Time Table:
# 20/07/2012 - Vendor notified
XSS:
#Input passed to the "month" parameter in user_blog.php is not properly sanitised before being returned to the user.
#Input passed to the "email, username, repeatPassword, password, captchaField, realname, form_name" parameters in join.php is not properly sanitised before being returned to the user.

Solution:
# Input validation of vulnerable parameters should be corrected.

POC:
# http://host/oxwall-1.4.0/blogs/user/arikosecurity?month=7-2012%22%3E%3CsCrIpT%3Ealert%2812345%29%3C%2fsCrIpT%3E


where arikosecurity = registered user.

Credit:
# Discoverd By: Maciej Gojny / Ariko-Security 2012