by r0t,der4444,cembo,VietMafia

Thursday, December 15, 2005

StaticStore Search Engine Friendly E-Commerce XSS

StaticStore Search Engine Friendly E-Commerce XSS

Vuln. discovered by : r0t
Date: 15 dec. 2005
affected version:1.189A and prior

Product Description:

StaticStore is a full store and online catalog builder complete with a browser based store manager for categorizing, adding, copying, moving, editing, and deleting products from your product database. Static search engine friendly HTML pages are then created from the MySQL product database. StaticStore is a robust store and online catalog builder and is able to categorize and build hundreds of product categories and thousands of static search engine friendly HTML product pages. StaticStore will allow you to categorize and start adding products immediately upon installation. StaticStore is truly the most "search engine friendly" and "user friendly" store and online catalog builder available in the market today.

Vuln. Description:

StaticStore contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to parameter in "search.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Edit the source code to ensure that input is properly sanitised.


Anonymous Anonymous told...


The vulnerability has been corrected. If you add a script tag into the search box at you will see.

I am sorry about the misunderstanding as we get so many spam emails etc. I want to thank you for bringing that to our attention and the patched "search.cgi" has been emailed to all customers and posted for download on our private forums.

Take Care,
Dave Stanovic

3:35 PM


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew