aMember is susceptible to cross site scripting attacks via an unsanitized login variable.
09aeaa3107c25b1d5b405d6859a0ea1c2e31810c27dd8609186079c15aad9c49
------------------------------------------------------
Nightmare TeAmZ Advisory 014
------------------------------------------------------
Date - 11/2005
aMember Xss
AFFECTED PRODUCTS
=================
aMember
https://www.amember.com
OVERVIEW
========
aMember is a flexible membership software with full-featured subscription
management. It has support for PayPal, 2Checkout, ccBill, AllRepay,
Clickbank, Authorize.net, WorldPay, LinkPoint, NoChex and other payment
systems (50+ payment systems currently supported), and allows you to setup
paid-membership areas on your site. It can be used without any payment
system - you can manage users manually. It allows you to create different
subscription types with different prices, periods and access permissions.
Integrated with phpNuke, vBulletin and InvisionBoard and other scripts
Vulnerable Path Xss :
========
/sendpass.php?lamember_login=">[XSS]
/member.php?login=</textarea>[XSS]
Solution:
=========
1. Venditor Not Contacted
Credits
=======
This vulnerability was discovered and researched by
BiPi_HaCk of Nightmare TeAmZ
We're: BiPi_HaCk - r3d_4Ss4ult3r - Sub_Z3r0
Site: https://www.NightmareSecurity.net <--IT Security Forum
_________________________________________________________________
Scopri il nuovo MSN Htomail - 10MB di allegati
https://www.msn.it/hotmail/minisite_10