EZHomepagePro multiple XSS vuln.

EZHomepagePro multiple XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 march 2006
vendor:www.htmljunction.net/ezhomepagepro/index.asp
affected versions: v1.5 and prior
orginal advisory:
http://pridels.blogspot.com/2006/03/ezhomepagepro-multiple-xss-vuln.html
###############################################

Vuln. description:

EZHomepagePro contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to "adid","aname" paremters in
"/common/email.asp","/users/users_search.asp","/users/users_profiles.asp"
and "m" paremter in "/users/users_search.asp" and "page" paremter in
"/users/users_calendar.asp" and "usid" paremter in
"/users/users_mgallery.asp" isn't properly sanitised before being returned
to the user.
This could allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship between the
browser and the server, leading to a loss of integrity.

examples:

/common/email.asp?page=user&m=y&select=r0t-&usid
=2&uname=guest&aname=&adid=[XSS]

/common/email.asp?page=user&m=y&select=r0t-&usid
=2&uname=&aname=[XSS]

/users/users_search.asp?page=user&uname=r0t&usid=
2&aname=&adid=&m=[XSS]

/users/users_search.asp?page=user&uname=r0t&usid=
2&aname=&adid=[XSS]

/users/users_search.asp?page=user&uname=r0t&usid=
2&aname=[XSS]

/users/users_calendar.asp?view=yes&action=write&una
me=r0t&usid=2&date=3/2/2006&sdate=3/2/2006&page=[XSS]

/users/users_profiles.asp?page=user&uname=r0t&usid=
2&aname=&adid=[XSS]

/users/users_profiles.asp?page=user&uname=r0t&usid=
2&aname=[XSS]

/users/users_mgallery.asp?gn=r0t&gp=guest&fl=Favor
ites&usid=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/