JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerability
BID:9609
Info
JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerability
| Bugtraq ID: | 9609 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 09 2004 12:00AM |
| Updated: | Feb 09 2004 12:00AM |
| Credit: | Discovery of this vulnerability has been credited to David Sopas Ferreira <[email protected]>. |
| Vulnerable: |
JShop E-Commerce JShop Server 0 JShop E-Commerce JShop Professional v3 |
| Not Vulnerable: | |
Discussion
JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerability
A vulnerability has been reported to exist in JShop E-Commerce that may allow a remote user to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of user-supplied data. It has been reported that HTML and script code may be parsed via a URI parameter of the 'search.php' script. This vulnerability makes it possible for an attacker to construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site.
A vulnerability has been reported to exist in JShop E-Commerce that may allow a remote user to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of user-supplied data. It has been reported that HTML and script code may be parsed via a URI parameter of the 'search.php' script. This vulnerability makes it possible for an attacker to construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site.
Exploit / POC
JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerability
The following proof of concept has been supplied:
search.php?xSearch=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscrip%3E&submit=Search
The following proof of concept has been supplied:
search.php?xSearch=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscrip%3E&submit=Search
Solution / Fix
JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerability
Solution:
It has been reported that a vendor supplied fix to address this issue is pending. This however has not been confirmed.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
It has been reported that a vendor supplied fix to address this issue is pending. This however has not been confirmed.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerability
References:
References:
- JShop E-Commerce (David Sopas Ferreira
) - JShop E-Commerce Homepage (JShop E-Commerce)