Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: bt1451.txt

Happymall - One more flaw in Happymall CGI:






----- Original Message -----
From: "Julio Cesar" <e2fsck@bol.com.br>
To: <bugtraq@securityfocus.com>
Sent: Monday, May 12, 2003 8:19 AM
Subject: One more flaw in Happymall


>
>
> Happymall E-Commerce Directory Transversal Bug and Cross-site scripting
>
> Vendor: Happycgi.com
>
> Product: Happymall
>
> Versions: 4.3, 4.4 (patched version too)
>
> 'normal_html.cgi' doesn't filter user-supplied input. The well-known
> directory transversal
> and cross-site scripting (XSS) vulnerabilities are present in Happymall
> (patched version too).
>
> The impact is that attackers can read files on the system and use XSS
> tricks to steal
> cookies and other informations.
>
> An example: /shop/normal_html.cgi?file=../../../../../../etc/issue%00
>     /shop/normal_html.cgi?file=&lt;script&gt;alert("XSS")&lt;/script&gt;
>
> Even happycgi.com is vulnerable to these bugs.
>
> Solution: I have contacted CERTCC-KR.
>
> Greetings: y0Rk, iplogd, rfds, VUGO, psaux, romer, cronus, Sh0dan, jo3y_,
> psyc, Red_Hat BoLoDoRio, c7g, C0VER, SaintsLD, sarkastics, B_Real and
> #xcorp @ BRASNet :)
>
> Julio "e2fsck" Cesar, <e2fsck@bol.com.br>
> e2fsck @ irc.brasnet.org
>
> san dimas high school football rules
>


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH