TUCoPS :: Web :: e-commerce, shopping carts :: hack1242.htm

Alan Ward Acart Improper authentication checking
Improper authentication checking in Alan Ward Acart 



Vulnerability:	Improper authentication checking for delete



Discussion:	Due to improper authentication checking a pop-up opened by any of the multiple XSS vulnerabilities by the admin of the site can cause a database compromise.



Exploit:	By using one of the multiple XSS vulnerabilities in this script, an attacker can cause the site administrator to open a new window and delete products or entire categories of products from the database.  The syntax is below:

	

www.example.com/acart2_0//admin/category.asp?catcode=1&stage= delete



Solution:	The developer needs to implement a new authentication mechanism for deletion of data.



Credit:	CyberArmy Application and Code Auditing Team

	Parag0d



The developer was contacted regarding this matter, but never gave a reply.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH