Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Click and Build eCommerce Platform Cross Site Scripting
From: Andrew Smith <stfunub () gmail com>
Date: Wed, 17 Nov 2004 16:13:17 +0000

ClickandBuild: http://apply.clickandbuild.com/
Online eCommerce platform.

Vulnerability
The vulnerability lies in the "listPos" variable in the script running
at cashncarrion.co.uk.
It does not properly secure user inputted variables, presumably as the
user is not supposed to input the variable but can do easily through
the URL.
I was not able to find any other unchecked variables that are printed,
but there could be more.

More information and examples can be found here:
http://www.wheresthebeef.co.uk/XSS/clicknbuild.html
and here:
http://www.wheresthebeef.co.uk/XSS/cash.n.carrion.co.uk.html

The vendor has been informed and claim to have fixed this problem.
-- 
zxy_rbt2

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Click and Build eCommerce Platform Cross Site Scripting Andrew Smith (Nov 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault