Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: bt1449.txt

Happymall - One more flaw in Happymall CGI:






----- Original Message -----
From: "People Logic Software" <peoplelogic@pinc.com>
To: <tommy@tnet.net>
Sent: Monday, May 12, 2003 10:19 AM
Subject: Fw: One more flaw in Happymall


>
> ----- Original Message -----
> From: "Julio Cesar" <e2fsck@bol.com.br>
> To: <bugtraq@securityfocus.com>
> Sent: Monday, May 12, 2003 9:19 AM
> Subject: One more flaw in Happymall
>
>
> >
> >
> > Happymall E-Commerce Directory Transversal Bug and Cross-site scripting
> >
> > Vendor: Happycgi.com
> >
> > Product: Happymall
> >
> > Versions: 4.3, 4.4 (patched version too)
> >
> > 'normal_html.cgi' doesn't filter user-supplied input. The well-known
> > directory transversal
> > and cross-site scripting (XSS) vulnerabilities are present in Happymall
> > (patched version too).
> >
> > The impact is that attackers can read files on the system and use XSS
> > tricks to steal
> > cookies and other informations.
> >
> > An example: /shop/normal_html.cgi?file=../../../../../../etc/issue%00
> >     /shop/normal_html.cgi?file=&lt;script&gt;alert("XSS")&lt;/script&gt;
> >
> > Even happycgi.com is vulnerable to these bugs.
> >
> > Solution: I have contacted CERTCC-KR.
> >
> > Greetings: y0Rk, iplogd, rfds, VUGO, psaux, romer, cronus, Sh0dan,
jo3y_,
> > psyc, Red_Hat BoLoDoRio, c7g, C0VER, SaintsLD, sarkastics, B_Real and
> > #xcorp @ BRASNet :)
> >
> > Julio "e2fsck" Cesar, <e2fsck@bol.com.br>
> > e2fsck @ irc.brasnet.org
> >
> > san dimas high school football rules
> >
>
>


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH