Your Own Classifieds Cross Site Scripting

2013-03-08T00:00:00
ID PACKETSTORM:120706
Type packetstorm
Reporter Rafay Baloch
Modified 2013-03-08T00:00:00

Description

                                        
                                            `*Vendor:  
*  
http://www.yourownclassifieds.com  
  
*Description:  
*  
Your own classified software is a script that helps you creates your own  
store.  
  
*Discovered by: Rafay Baloch*  
  
Vulnerability: Non persistent XSS  
  
The script fails to sanitize the input that is entered into the text box  
resulting into a XSS.  
  
*POC*:  
http://www.gumtreeclone.com/cat-search/for-sales-2/XSS  
http://www.gumtreeclone.com/cat-search/for-sales-2/%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E  
  
*Fix*:  
  
- All input generated at any point inside the application should be html  
encoded and filtered/sanitized before it's  
copied to the application response.  
  
- All html special characters should be replaced with it's corresponding  
html entities.  
  
--   
Warm Regards,  
Rafay Baloch  
  
http://rafayhackingarticles.net  
http://techlotips.com  
`