aMemberXSS.txt

`------------------------------------------------------  
Nightmare TeAmZ Advisory 014  
------------------------------------------------------  
Date - 11/2005  
aMember Xss  
  
  
AFFECTED PRODUCTS  
=================  
aMember  
http://www.amember.com  
  
  
OVERVIEW  
========  
aMember is a flexible membership software with full-featured subscription   
management. It has support for PayPal, 2Checkout, ccBill, AllRepay,   
Clickbank, Authorize.net, WorldPay, LinkPoint, NoChex and other payment   
systems (50+ payment systems currently supported), and allows you to setup   
paid-membership areas on your site. It can be used without any payment   
system - you can manage users manually. It allows you to create different   
subscription types with different prices, periods and access permissions.   
Integrated with phpNuke, vBulletin and InvisionBoard and other scripts  
  
  
Vulnerable Path Xss :  
========  
/sendpass.php?lamember_login=">[XSS]  
/member.php?login=</textarea>[XSS]  
  
  
Solution:  
=========  
1. Venditor Not Contacted  
  
  
Credits  
=======  
This vulnerability was discovered and researched by  
BiPi_HaCk of Nightmare TeAmZ  
We're: BiPi_HaCk - r3d_4Ss4ult3r - Sub_Z3r0  
Site: http://www.NightmareSecurity.net <--IT Security Forum  
  
_________________________________________________________________  
Scopri il nuovo MSN Htomail - 10MB di allegati   
http://www.msn.it/hotmail/minisite_10  
`