Bugtraq mailing list archives
XSS bug in MyMarket 1.71
From: "qber66" <qber66 () pandora be>
Date: Wed, 11 Sep 2002 20:17:15 +0200
+----------------------+ | XSS in MyMarket 1.71 | +----------------------+ Product Description =================== MyMarket is a fully functional online shopping catalog system, built using PHP and MySQL. It was created by Ying Zhang for the purpose of teaching people about the basics of creating an E-Commerce site. It can be found at http://mymarket.sourceforge.net/ Vulnerable systems ================== MyMarket 1.71 Exploit ======= http://[traget]/templates/form_header.php?noticemsg=<Scr*ipt>javascript:aler t(document.cookie)</Scr*ipt> (without "*") Solution ======== put this two lines at the begin of form_header.php ---- form_header.php ----- <? $noticemsg = HTMLSpecialChars($noticemsg); $errormsg = HTMLSpecialChars($errormsg); ... -------------------------- Vendor response =============== I submitted this a week ago, the vendor didn't response yet. ------------------------------ Tim Vandermeersch qber66 () pandora be http://users.pandora.be/tim/
Current thread:
- XSS bug in MyMarket 1.71 qber66 (Oct 23)
- Router DSL Dlink Linux (Oct 24)
- Re: Router DSL Dlink Markus Garscha (Oct 24)
- Router DSL Dlink Linux (Oct 24)