# Ariko-Security: Security Audits , Audyt bezpieczeństwa
# Advisory: 739/2010

# 13.10.2010

============ { Ariko-Security - Advisory #2/10/2010 } =============

Adult Website PRO multiple XSS

Vendor's Description of Software:
# http://adultwebsitepro.com/main.cfm?page=demo.cfm

Dork:
# N/A

Application Info:
# Name: Adult Website PRO
# V4.0 (last)

Vulnerability Info:
# Type: multiple XSS

Time Table:
# 03/10/2010 - Vendor informed.

Fix:
# n/a

Input passed to the "script_name" parameter in login.cfm is not properly
sanitised before being returned to the user.

Input passed to the "reason" parameter in login.cfm is not properly
sanitised before being returned to the user.

Input passed to the "path_info" parameter in login.cfm is not properly
sanitised before being returned to the user.

Solution:
# Input validation of all vulnerable parameters should be corrected.

Vulnerability samples:

login.cfm?reason=denied_empty&script_name=/demo/members/"/><script>alert(XSS)</script>&path_info=/demo/members/

Credit:
# Discoverd By: Ariko-Security 2010