lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030708003230.3149.qmail@www.securityfocus.com>
Date: 8 Jul 2003 00:32:30 -0000
From: Massimo Arrigoni <support@...lyimpact.com>
To: bugtraq@...urityfocus.com
Subject: Re: ProductCart XSS Vulnerability


In-Reply-To: <20030705052949.8408.qmail@....securityfocus.com>

This security issue ONLY affects ProductCart v1.5 and before. It was fixed 
several months ago. Users of ProductCart v1.5 can update their software 
free of charge using the following fix, which also addresses the other 
recently posted security issues.

http://www.earlyimpact.com/productcart/support/security-alert-070603.asp

For any questions, please contact Early Impact at support@...lyimpact.com

The Early Impact Team

>Received: (qmail 28069 invoked from network); 7 Jul 2003 20:09:18 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 7 Jul 2003 20:09:18 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>	by outgoing2.securityfocus.com (Postfix) with QMQP
>	id 2740B8F572; Mon,  7 Jul 2003 13:22:48 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 13682 invoked from network); 5 Jul 2003 05:28:30 -0000
>Date: 5 Jul 2003 05:29:49 -0000
>Message-ID: <20030705052949.8408.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: atomix atomix <at0mix87@...oo.com>
>To: bugtraq@...urityfocus.com
>Subject: ProductCart XSS Vulnerability
>
>
>
>#####################
>#  ProductCart XSS  #
>#   Vulnerability   #
>#  found by atomix  #
>#####################
>
>i came across the fact that in an area of ProductCart you are able to 
>manipulate the error message, therefore allowing tags such as 
&lt;script&gt; and 
><iframe> to be used:
>
>http://www.website.com/ProductCart/pc/msg.asp?message=>&lt;script&gt;alert
>(document.cookie);&lt;/script&gt;
>
>http://www.website.com/ProductCart/pc/msg.asp?message=<iframe%20src="C:\"%
>20width=400%20height=400></iframe>
>
>-atomix | atom b0mbs
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ