XSS in Brazilian Insite products

From: Carlos Ulver (carlos.ulver_at_gmail.com)
Date: 11/24/04

Next message: Ken S: "Re: Sun Java Plugin arbitrary package access vulnerability"

Previous message: icbm: "Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 24 Nov 2004 19:58:36 -0300
To: bugtraq@securityfocus.com

Well i have found some XSS in insite products

Inmail -> As the name says a webmail
Inshop -> Shopping Cart

The XSS problem founded could stole user accounts without the need of password.
I sent an e-mail long time ago telling them about this, but i get no
answers and no correction was made so...

The proof of concept i shown below:
Its important accentuate that users must be logged ON to view this
proof of concept.

But an atacker could also forge a malicious link and send it to the
victim(inmail) or make a commentary of a product(inshop) that contain
malicious codes using html and javascript.

Proof:
-----------------
Inmail:
http://target/mod_perl/inmail.pl?acao=<>opss!</h1>
For the webmail we need to use two << in the beginning of the first
tag of the XSS. It looks like a filter for any tag.

Inshop:
http://hostalvo/mod_perl/inshop.pl?screen=>alert(document.cookie);</script>

Thanks and sorry for the bad english.

Carlos

Next message: Ken S: "Re: Sun Java Plugin arbitrary package access vulnerability"

Previous message: icbm: "Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]