Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[Full-disclosure] RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities

Linpha 1.1.0 - XSS Vulnerabilities

[SA19645] MODx Cross-Site Scripting and Directory Traversal

[SA19716] Avaya CMS / IR "/proc" Denial of Service

From:	r0t <krustevs_(at)_googlemail.com>
Date:	18.04.2006
Subject:	BluePay Manager v2.0 Script Insertion Vulnerability

BluePay Manager v2.0 Script Insertion Vulnerability

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:bluepay.com
affected versions:v2.0 and previous
orginal advisory:
http://pridels.blogspot.com/2006/04/bluepay-manager-v20-script-insertion.html
###############################################

Vuln. description:


Input passed to the "Account Name","Username", field parameters in  when
user try to login is not properly sanitised before being used. This can be
exploited to inject arbitrary HTML and script code, which will be executed
in a user's browser session in context of an affected site when the
malicious user data is viewed.


example:

only manually check:

https://secure.bluepay.com/login

type in those fields some XSS checking charters and you will see.



###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/