by r0t,der4444,cembo,VietMafia

Wednesday, December 14, 2005

CKGOLD XSS vuln.

CKGOLD XSS vuln.
Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.cartkeeper.com/
affected version:latest

Product Description:
CKGOLD - E-Commerce Shopping Cart Solution
The CKGold system is a feature rich shopping cart developed for those wishing to host their own store with fine tuned controls for items, inventory, cart and checkout. Below is a list of some of the great features you will find in CKGold. Over the years we've listened to our clients needs and have designed a rich sets of innovative tools to build an effective e-commerce site. We continually plan for improvements and new features based on client feedback and suggestions.


Vuln. Description:

CKGOLD contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search parameters in "search.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous CartKeeper told...

This issue has been addressed in the current release of CKGold.

1:56 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew