TUCoPS :: Web :: e-commerce, shopping carts :: hack3234.htm

JShop Input Validation Hole in 'page.php' Permits Cross-Site Scripting Attacks
JShop Input Validation Hole in 'page.php' Permits Cross-Site Scripting Attacks

Indonesia Security Development Team (Indohack)
http://indohack.sourceforge.net/drponidi 
===========================================================================
Security Advisory


Advisory Name: JShop Input Validation Hole in 'page.php' Permits Cross-Site Scripting Attacks 
     Platform: Linux (Any), UNIX (Any), Windows (Any)
 Release Date: 22/8/04
       Author: Dr`Ponidi
  Discover by: Dr`Ponidi
Vendor Status: Notified
   Vendor URL: http://jshop.co.uk/products_jss.php 
    Reference: http://indohack.sourceforge.net/drponidi 
ContactPerson: #dhegleng, #Indohack [at] dalnet 

[Overview]
JShop is a e-commerce system designed for servers that support
both PHP and mySQL. Featuring a wealth of features for high-end e-commerce systems,
such as customer accounts, stock control and order processing, JShop is designed
for those companies wanting to offer a greater level of service to their on-line customers.

[Proof of Concept]
http://vulnerable/page.php?xPage=