TUCoPS :: Web :: e-commerce, shopping carts :: hack1244.htm

Alan Ward Acart XSS Vulnerabilities
XSS Vulnerabilities in Alan Ward Acart



Vulnerability:	XSS Vulnerabilities in msg



Description:	XSS (Cross Site Scripting) vulnerabilities exist in the msg parameter passed in the URL to many pages.  This can be used to run arbitrary code on the website, or redirect to some other malicious script.  These pages include:

	deliver.asp

	error.asp

	signin.asp

	admin/error.asp

	admin/index.asp



Exploit:	A test script was used to prove this vulnerability

	www.example.com/acart2_0/affected_page.asp?msg= <script>alert("test")</script>



Solution:	The developer needs to properly sanitize variables passed through the URL to remove possible malicious code.



Credit:	CyberArmy Application and Code Auditing Team

	Parag0d



The developer was contacted about this matter but never gave any reply.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH