by r0t,der4444,cembo,VietMafia

Sunday, June 18, 2006

Tradingeye Shop R4 XSS

###############################################
Vuln. discovered by : r0t
Date: 18 june 2006
vendor:http://www.dpivision.com/
affected versions:R4 and prior
###############################################

Vuln. Description:

Tradingeye Shop contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "image" parameter in "details.cfm" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

3 Comments:

Anonymous Anonymous told...

Hi, you say "more information -> unsecured-system/forum. l'm member of your forum (casper_), but l can see nothing in the forum about somethings.
thx. casper_

7:24 PM

 
Blogger r0t told...

The point why i write always more information on unsecured-system/forum , cauz there you discuz better security related questions about your or other software. You can ask/answer there.

8:46 PM

 
Anonymous Wladimir told...

Hi,

A patch has been released for this threat. Please contact dpivision.com for the latest update.

Kind Regards,

Wladimir
dpivision.com Ltd

11:31 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew