Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Confixx 3.1.2 <= Cross Site Scripting Vuln

[SA19589] Debian mnogosearch Insecure Password Storage Security Issue

[SA19601] dnGuestbook admin.php SQL Injection Vulnerability

[SA19563] MAXdev MD-Pro ADOdb "server. php" Insecure Test Script Security Issue

From:	r0t <r0t_(at)_r00t.it>
Date:	11.04.2006
Subject:	ShopXS v4.0 XSS vuln.

ShopXS v4.0 XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 10 april 2006
vendor:MK Internet-Service GmbH
vendorlink:http://www.shopxs.de/
affected versions:ShopXS-Version 4.00 and previous
orginal advisory:http://pridels.blogspot.com/2006/04/shopxs-v40-xss-vuln_10.html
###############################################


Vuln. Description:

Input passed to the search module field parameter when performing a search isn't
properly sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context
of an affected site.


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
Greetings to: der4444,xaPridel,cembo,g0df4th3r,
waraxe,FrozenEye,str0ke,RaZbh,rst team,nst team,
Minsk,:[PsiHOdelik]:,damrai,UFoloG,verified team,
clanger,Hello_its_me,johnco,Txuri,The Cracker,
mag2000,fredrau,owen and to all X-ACCESS team!
###############################################
More information @ unsecured-systems.com/forum/