| Shopping Cart Software |
 | Web Server |
|
|
|
|
|
 | Language |
|
|
|
|
|
| Database |
|
|
|
|
|
| Industry |
|
|
|
|
|
| Payment Gateway |
|
|
|
|
|
| | | Shopping Cart Services |
| Industry |
|
|
|
|
|
| Payment Gateway |
|
|
|
|
|
|
|
|
Valdersoft Shopping Cart index.php lang Variable XSS |
|
|
| |
 
|
| |
OSVDB ID: 15055
Disclosure Date: Mar 27, 2005
Description:
Valdersoft Shopping Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate `lang` variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user`s browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Vulnerability Classification:
Remote/Network Access Required
Input Manipulation
Loss Of Confidentiality
Loss Of Integrity
Exploit Available
Web Related
Products:
VALDERSOFT Shopping Cart 3.0
Solution:
Upgrade to version 3.0 or higher, obtained from the vendor site on or after March 30, 2005, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
NOTE: The vendor has fixed the vulnerability without changing the version number.
Manual Testing Notes:
http://[victim]/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132&lang=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
External References:
CVE ID: 2005-0908
Related OSVDB ID: 15051
Related OSVDB ID: 15052
Related OSVDB ID: 15053
Related OSVDB ID: 15054
Related OSVDB ID: 15056
ISS X-Force ID: 19846
Secunia Advisory ID: 14719
Vendor URL: http://www.valdersoft.com/valdersoft_shopping_cart.php
Other Advisory URL: http://www.hackerscenter.com/Archive/view.asp?id=1780
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0470.html
Security Tracker: 1013565
Credit:
Diabolic Crab - Personal Page
Vulnerability Status:
This entry was last updated on Jul 7, 2005. If you have additional information or corrections for this vulnerability please submit them to OSVDB Moderators.
Direct URL to this page: http://www.osvdb.org/15055
|
|
|
|
|
|
Top Rated Carts |
|
|
|
|
Most Popular Carts |
|
|
|
|
Recently Added Carts |
|
|
|
|
|
Articles Submitted/Added  |
|
|
|
|
|
Press Releases |
|
|
 | E-Commerce Case Study – LaGarde® Integrates GCI Cellular Stores with StoreFront® Website: | | Kansas City, MO, (September 12, 2006) – GCI (www.gci.com), the largest telecommunications company in Alaska, recently launched an online store for the ... | | Smilehouse signs partnership with PINS Internet: | | Helsinki / Haarlem - April 2006 – Finnish software development company Smilehouse and leading Dutch managed services provider PINS Internet have signe ... | | Network Solutions to Acquire MonsterCommerce, Leading Provider of e-Commerce Solutions: | | Friday December 16, 7:00 am ET
HERNDON, Va., Dec. 16 /PRNewswire/ -- Network Solutions (http://www.networksolutions.com), the leading provider of ... | | NetSuite Solves the Mysteries of Ecommerce for Small and Mid-Sized Businesses: | | Thursday 17 November 2005, 11:00 GMT
NetSuite Solves the Mysteries of Ecommerce for Small and Mid-Sized Businesses
- NetSuite Goes Gaga for G ... | | Merchant Account and Credit Card Processing Gateway Fastcharge.com Offers Free Credit Card Processing Fraud Protection to Online Merchants: | | SPOKANE, WA (PRWEB) October 25, 2005
Merchant account and credit card processing gateway Fastcharge.com now offers Free Credit Card Processing Fraud ... |
| more >> |
|
|
|
|
|
|
 |
Shopping Cart Search |
|
|
|
|
|
