by r0t,der4444,cembo,VietMafia

Wednesday, December 14, 2005

The CITY Shop XSS vuln.

The CITY Shop XSS vuln.

Vuln. discovered by : r0t
Date: 14 dec. 2005
affected version:1.3 and prior

Product Description:

The CITY Shop is one of the most advanced, and certainly the most flexible open-source shopping cart available on the market. The CITY Shop has been designed with utmost flexibility in mind. Its object-oriented architecture allows it to perform exceptionally on any platform that provides Perl.
The CITY Shop runs under normal Perl, mod_perl, and any other scripting accelerators available. We value the user input regarding features and improvements, and we implement most of them in real time, making the new development easily available for everybody.

Vuln. Description:

The CITY Shop contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Edit the source code to ensure that input is properly sanitised.


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew