WORK system e-commerce main.php Cross-Site Scripting - Security


Editor Login \| Register		Ekle

> World > Security

WORK system e-commerce main.php Cross-Site Scripting - Security - World -

CWRedLight

(Date : 15.04.2008 16:52:47)

WORK system e-commerce main.php Cross-Site Scripting

Secunia Advisory:	SA29823
Release Date:	2008-04-15

Critical:	Less critical
Impact:	Cross Site Scripting
Where:	From remote
Solution Status:	Unpatched

Software:	WORK system e-commerce 4.x

Description:
Russ McRee has discovered some vulnerabilities in WORK system e-commerce, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "day", "month", and "year" parameters in module/main.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user"s browser session in context of an affected site.

The vulnerabilities are confirmed in version 4.0.9. Other versions may also be affected.

Solution:
Filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
Russ McRee

Derecelendir

Kaynak

http://secunia.com/advisories/29823/

İçerik İhbarı

Bağlantılar: bilgininefendisi.net

Open Source Document Project

AUP&TOS