[32673] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

XSS Vulnerabilities in Alan Ward Acart

daemon@ATHENA.MIT.EDU (parag0d@phreaker.net)
Thu Dec 4 11:57:11 2003

Date: 4 Dec 2003 06:09:59 -0000
Message-ID: <20031204060959.5221.qmail@sf-www3-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <parag0d@phreaker.net>
To: bugtraq@securityfocus.com



Vulnerability:	XSS Vulnerabilities in msg

Description:	XSS (Cross Site Scripting) vulnerabilities exist in the msg parameter passed in the URL to many pages.  This can be used to run arbitrary code on the website, or redirect to some other malicious script.  These pages include:
	deliver.asp
	error.asp
	signin.asp
	admin/error.asp
	admin/index.asp

Exploit:	A test script was used to prove this vulnerability
	www.example.com/acart2_0/affected_page.asp?msg= &lt;script&gt;alert("test")&lt;/script&gt;

Solution:	The developer needs to properly sanitize variables passed through the URL to remove possible malicious code.

Credit:	CyberArmy Application and Code Auditing Team
	Parag0d

The developer was contacted about this matter but never gave any reply.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[32673] in bugtraq

XSS Vulnerabilities in Alan Ward Acart

daemon@ATHENA.MIT.EDU (parag0d@phreaker.net)Thu Dec 4 11:57:11 2003

daemon@ATHENA.MIT.EDU (parag0d@phreaker.net)
Thu Dec 4 11:57:11 2003