----- Original Message -----
From: "Julio Cesar" <e2fsck@bol.com.br>
To: <bugtraq@securityfocus.com>
Sent: Monday, May 12, 2003 8:19 AM
Subject: One more flaw in Happymall
>
>
> Happymall E-Commerce Directory Transversal Bug and Cross-site scripting
>
> Vendor: Happycgi.com
>
> Product: Happymall
>
> Versions: 4.3, 4.4 (patched version too)
>
> 'normal_html.cgi' doesn't filter user-supplied input. The well-known
> directory transversal
> and cross-site scripting (XSS) vulnerabilities are present in Happymall
> (patched version too).
>
> The impact is that attackers can read files on the system and use XSS
> tricks to steal
> cookies and other informations.
>
> An example: /shop/normal_html.cgi?file=../../../../../../etc/issue%00
> /shop/normal_html.cgi?file=<script>alert("XSS")</script>
>
> Even happycgi.com is vulnerable to these bugs.
>
> Solution: I have contacted CERTCC-KR.
>
> Greetings: y0Rk, iplogd, rfds, VUGO, psaux, romer, cronus, Sh0dan, jo3y_,
> psyc, Red_Hat BoLoDoRio, c7g, C0VER, SaintsLD, sarkastics, B_Real and
> #xcorp @ BRASNet :)
>
> Julio "e2fsck" Cesar, <e2fsck@bol.com.br>
> e2fsck @ irc.brasnet.org
>
> san dimas high school football rules
>
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
