Дополнительная информация

Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )

CA.View/view-law. asp/view-info.asp sql injection

Education_info/edu_vi ew.asp sql injection

Shoutbox 1.0 Remote Command Execution Vulnerability

Coppermine Photo Gallery (yabbse.inc. php) Remote File Inclusion Vulnerability

From:	r0t <krustevs_(at)_googlemail.com>
Date:	10 августа 2007 г.
Subject:	Storesprite XSS vuln.

Storesprite XSS vuln.
###############################################
Vuln. discovered by : r0t
Date: 10 August 2007
vendor:http://www.storesprite.com/
orginal advisory:
http://pridels-team.blogspot.com/2007/08/storesprite-xss-vuln.html
affected versions:Storesprite 7 and previous
###############################################


Storesprite contains a flaw that allows a remote Cross-Site Scripting
attacks.Input passed to the "next" parameter in
"secure/addaddress.php","secure/editshipdetails.php",
"secure/register.php","secure/login.php"
isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################