by r0t,der4444,cembo,VietMafia

Thursday, December 15, 2005

HostingCart XSS

HostingCart XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
vendor:www.zaygo.com/hosting-tools/hostingcart/
affected version:2.0 and prior

Product Description:

Zaygo HostingCart is a complete shopping cart, designed especially for ISPs and hosting companies. It includes an integrated domain name search. Customers can buy hosting plans on their own or associated with a specific domain name. You can define hosting plans with names and prices, and choose prices for domain name registration in different TLDs for 1-10 years. Features: transfer domain function, with ownership check; customisable order emails to you and purchasers; automatic price and tax calculation; easy web-based admin and installation; Free downloadable HTML themes or design your own look using simple HTML templates; and upgradable with plugins for automatic domain registration, credit card processing, domain name wizards, and faster searching.


Vuln. Description:

HostingCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Blogger Credit Center told...

Hey, you have a great blog here! I'm definitely going to bookmark you!

I have a credit cards for bad credit site/blog. It pretty much covers credit cards for bad credit related stuff.

Come and check it out if you get time :-)

7:03 PM

 
Blogger bloggggggs told...

A lot of interest for your blog and a great deal of discussion. Great sites to surf domain name hosting, domain name, domain reseller, au domain, free website, online business, home based business, electric scooter, xbox360!

1:24 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew