by r0t,der4444,cembo,VietMafia

Monday, December 05, 2005

Amazon Search Directory XSS vuln.

Amazon Search Directory XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.mrcgiguy.com/amazondetails.shtml
affected version:v.1.0.0 and prior


Product Description:

* Very easy to set up and use
* Customizable Header/Footer Templates
* Automatic insertion of Amazon QuickPay links with your affiliate code.
* Easy to navigate and search.
* Read to use 'out of box'. The script comes with the categories already created as seen in the demo. Use them if you'd like, or start from scratch.
* Capable of searching any product type in Amazon's catalog.


Vuln. description:

Input passed to the parameter in "search.cgi" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew