lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 26 Apr 2005 19:22:14 -0000
From: Zinho <zinho@...kerscenter.com>
To: bugtraq@...urityfocus.com
Subject: [HSC Security Group] Comersus v6 Script injection




Hackers Center Security Group (http://www.hackerscenter.com/)      
Zinho's Security Advisory       


Title: Comersus v6 Shopping Cart Sever Script injection 
Risk: High    
    


Comersus is one of the most used Shopping Cart software written in asp, available for  *nix and windows platforms. 


A critical script injection can lead to admin privileges stealing: 

Proof of concept: By registering on the site with username:  
" Tommy &lt;script&gt;alert(document.cookie)&lt;/script&gt; " 

the script will be executed in all the pages in which Tommy's account is listed. Among  the other also in the admin pages. 
Being comersus a shopping cart script, this is reported as a high risk level issue 



Author:       
Zinho is webmaster and founder of http://www.hackerscenter.com ,   Security research    portal     
Secure Web Hosting Companies Reviewed:    
http://www.securityforge.com/web-hosting/secure-web-hosting.asp    

zinho-no-spam @ hackerscenter.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ