lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: stfunub at gmail.com (Andrew Smith) Subject: Click and Build eCommerce Platform Cross Site Scripting ClickandBuild: http://apply.clickandbuild.com/ Online eCommerce platform. Vulnerability The vulnerability lies in the "listPos" variable in the script running at cashncarrion.co.uk. It does not properly secure user inputted variables, presumably as the user is not supposed to input the variable but can do easily through the URL. I was not able to find any other unchecked variables that are printed, but there could be more. More information and examples can be found here: http://www.wheresthebeef.co.uk/XSS/clicknbuild.html and here: http://www.wheresthebeef.co.uk/XSS/cash.n.carrion.co.uk.html The vendor has been informed and claim to have fixed this problem. -- zxy_rbt2