by r0t,der4444,cembo,VietMafia

Thursday, December 15, 2005

DomainCart XSS

DomainCart XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.zaygo.com/domain-shopping-cart/domaincart/
affected version:2.0 and prior

Product Description:

Zaygo DomainCart is a complete domain name search, order and registration solution. It allows your customers to search for domain names in over 100 top level domains, including .tv, .md and .ws domains. Domains can be added to a shopping cart, with automatic price and tax calculation. You can set separate prices for different domains, and allow registration for different numbers of years. After ordering, DomainCart can send customizable emails to you and your customers, with order details. DomainCart has easy web-based admin and installation, and is completely customizable using downloadable themes or your own HTML templates. DomainCart can be upgraded with plugins for automatic domain registration, credit card providers, selling hosting plans, domain transfers, and search wizards.

Vuln. Description:

DomainCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Blogger Credit Center told...

Hi thanks for your blog, I liked it! I also have a blog/site about credit cards for bad credit that covers credit cards for bad credit related stuff. Please feel free to visit.

7:04 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew