|
Indonesia Security Development Team (Indohack) http://indohack.sourceforge.net/drponidi =========================================================================== Security Advisory Advisory Name: JShop Input Validation Hole in 'page.php' Permits Cross-Site Scripting Attacks Platform: Linux (Any), UNIX (Any), Windows (Any) Release Date: 22/8/04 Author: Dr`Ponidi Discover by: Dr`Ponidi Vendor Status: Notified Vendor URL: http://jshop.co.uk/products_jss.php Reference: http://indohack.sourceforge.net/drponidi ContactPerson: #dhegleng, #Indohack [at] dalnet [Overview] JShop is a e-commerce system designed for servers that support both PHP and mySQL. Featuring a wealth of features for high-end e-commerce systems, such as customer accounts, stock control and order processing, JShop is designed for those companies wanting to offer a greater level of service to their on-line customers. [Proof of Concept] http://vulnerable/page.php?xPage=