##########################www.BugReport.ir########################################
#
#        AmnPardaz Security Research Team
#
# Title:		Tinypug Multiple Vulnerabilities
# Vendor:		http://platformassociates.com/
#               (project hosted at http://code.google.com/p/tinypug/)
# Vulnerable Version:	0.9.5 (and prior versions)
# Exploitation:		Remote with browser
# Fix:			N/A
###################################################################################

####################
- Description:
####################

Tinypug is a system for building portals that enable innovation communities and customer inquiry.
The idea is to go beyond one-off statistical surveys (which tend to only verify an existing paradigm)
to foster real collaboration, scalable two-way communication, and anecdotal feedback from users/customers. 


####################
- Vulnerability:
####################

+--> CSRF (Cross-Site Request Forgery)
	The password changing page is vulnerable to CSRF attack. This vulnerability
	can be used to change the password of the victim. For details of this
	process see "Exploits/PoCs" section.

+--> Stored XSS Vulnerability
	The comment page is vulnerable to Stored XSS attack. But comments will be published
	only after administrator confirmation. However this XSS vulnerablity can be
	used in conjunction with the more serious security whole (CSRF) in order to change
	administrator's password.

####################
- Exploits/PoCs:
####################

http://www.bugreport.ir/67/exploit.htm

####################
- Solution:
####################

For CSRF vulnerability password changing page must be changed in order to ask for the old password, too.

For XSS vulnerability you could include all of the comments in the approval page by <xmp> tag.


####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com