If you are running OS Commerce, please test your site for this vulnerability and be sure to stay on top of patches and upgrades that may become available from the OSCommerce support website.
K-OTik Security Advisory : KOTIK/ADV-2005-0171
CVE Reference : CAN-2005-0458
Rated as : Low
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-02-16
* Technical Description *
A new vulnerability was reported in osCommerce, which can be exploited by attackers to conduct Cross Site Scripting attacks. The problem resides in the "contact_us.php" file when handling the "enquiry" parameter, which may be exploited to cause arbitrary scripting code to be executed by the user's browser.
http://site/contact_us.php?&name=1&email=1&enquiry=[XSS] * Affected Products *
osCommerce version 2.2-MS2 and prior
* Solution *
K-OTik Security is not aware of any official supplied patch for this issue.
* References *
http://www.k-otik.com/english/advisories/2005/0171
AlphaOne Technology Support Forums
Author
Logged
