lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 4 Dec 2003 06:09:59 -0000
From: <parag0d@...eaker.net>
To: bugtraq@...urityfocus.com
Subject: XSS Vulnerabilities in Alan Ward Acart




Vulnerability:	XSS Vulnerabilities in msg

Description:	XSS (Cross Site Scripting) vulnerabilities exist in the msg parameter passed in the URL to many pages.  This can be used to run arbitrary code on the website, or redirect to some other malicious script.  These pages include:
	deliver.asp
	error.asp
	signin.asp
	admin/error.asp
	admin/index.asp

Exploit:	A test script was used to prove this vulnerability
	www.example.com/acart2_0/affected_page.asp?msg= &lt;script&gt;alert("test")&lt;/script&gt;

Solution:	The developer needs to properly sanitize variables passed through the URL to remove possible malicious code.

Credit:	CyberArmy Application and Code Auditing Team
	Parag0d

The developer was contacted about this matter but never gave any reply.

Powered by blists - more mailing lists