BID:9693

WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulnerability

Info

WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulnerability

Bugtraq ID:	9693
Class:	Input Validation Error
CVE:	CVE-2004-0305
Remote:	Yes
Local:	No
Published:	Feb 18 2004 12:00AM
Updated:	Jul 12 2009 03:06AM
Credit:	Discovery of this vulnerability has been credited to Nick Gudov <[email protected]>.
Vulnerable:	WebCortex WebStores2000

Not Vulnerable:

Discussion

WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulnerability

It has been reported that WebStores2000 is prone to a cross-site scripting vulnerability. This issue is reportedly due to a failure to sanitize user input and so allow HTML and script code that may facilitate cross-site scripting attacks.

Exploit / POC

WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulnerability

The following example has been supplied:

http://www.example.com/error.asp?Message_id=35<script>alert(document.cookie)</script>

Solution / Fix

WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulnerability

Solution:
It has been reported that the vendor has addressed this issue in the latest release of Webstores2000. This however has not been confirmed.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulnerability

References:

WebStores2000 (WebCortex)
WebCortex Webstores2000 version 6.0 multiple security vulnerabilities (Nick Gudov )