Xopie Virtual Shop Cross Site Scripting

`+=============================================================================================+  
+ Xopie Virtual Shop & XSS & Allow Execute Evil Remote Code +  
+=============================================================================================+  
  
Author(s):Raul Diaz(Dshellnoi Unix) & Ivan Sanchez (nullcode)  
Product:Xopie Virtual Shop  
Vendor: http://www.xopie.com  
Date: 25/06/2013  
Vendor Notified: 10/06/2013 - 15/06/2013   
Answer: for the moment they have not resources to mitigate this issue.  
  
Extract:  
xopie is a leading company for a monthly charge that allows customers to start their own business, their clients sell all kinds of products...  
  
  
Vulnerable Function:  
function searchBoxSubmit(event,strDefaultText){if($("#q").val()===""||$("#q").val()==strDefaultText){return cancelEvent(event);}else{return true;}}  
  
Parameter Affected:  
q=[INJECT HERE]&commandSearch=Buscar  
  
  
Remediation: sanitize parameter  
  
  
Important: More than 6.500 sites affected, vendor notified  
  
http://www.nxt-telecom.com/es/list  
http://www.softcreativa.com  
http://airballoons.xopie.com/es/list   
http://www.mueblesmarro.com  
http://www.infocrack.cat/es/list  
http://www.proyector.org/es/list  
http://www.extensionesnaturalesonline.com/es/list  
http://vadebisu1.xopie.com/en/list  
http://www.omerchandising.com/en/list  
http://dprk.xopie.com/en/list  
http://www.toolman.es/en/list  
http://www.kiteluxe.es/en/list  
http://www.amparomaciaonline.es/en/list  
http://www.labotigadelbolet.com/en/list  
http://www.koolin.cat/en/list  
http://www.mariaplantis.com/en/list  
http://www.why-not-fly.com/en/list  
http://www.hunternature.com/en/list  
http://www.informaplay.com/en/list  
http://www.complementsperlaindependencia.cat/en/list  
http://hobbyocasion.xopie.com/en/list  
http://mymarcarbara.xopie.com/es/list  
http://labrujula.xopie.com/es/list  
http://dicoelecsas.xopie.com/es/list  
http://deluzlighting.xopie.com/es/list  
http://bazardecalidad.xopie.com/es/list  
http://quarentena.xopie.com/es/list  
http://comprabarato.xopie.com/es/list  
http://digitalsignshop.xopie.com/es/list  
http://hinchadecor.xopie.com/tags/index  
http://voltimum.xopie.com/es/list  
http://mueblesled.xopie.com/es/list  
http://jt1electronica.xopie.com/es/list  
http://fruitaula.xopie.com/tags/index  
http://deliverystores.xopie.com/es/list  
http://lamanida.xopie.com/ca/list  
http://luminoxhair.xopie.com/es/list  
http://auto4x4.xopie.com/es/list  
http://merceriabacares.xopie.com/es/list  
http://habitacionessev.xopie.com/es/list  
http://todoparaiphone.xopie.com/es/list  
http://lamejorsalud.xopie.com/es/list  
http://jldsantandreu.xopie.com/es/list  
http://cuisineslowcost.xopie.com/fr/list  
http://caftansecret.xopie.com/es/list  
http://hinchables.xopie.com/es/list  
http://todovapor.xopie.com/es/list  
http://teitos.xopie.com/es/list  
http://perfumesdemarca.xopie.com/tags/index  
http://mansbotiga.xopie.com/tags/index  
http://casaruraljose.xopie.com/es/list  
http://taotekinstore.xopie.com/es/list  
http://segways.xopie.com/es/list  
http://ropazamora.xopie.com/tags/index  
http://surfplata.xopie.com/es/list  
http://imporchina.xopie.com/es/list  
http://zonafd.xopie.com/es/list  
http://spainholidays.xopie.com/es/list  
http://didicreazioni.xopie.com/es/list  
http://oportunidades.xopie.com/es/list  
http://humedades.xopie.com/es/list  
http://elsupermercado.xopie.com/es/list  
http://cuinesladier.xopie.com/es/list  
http://esfera.xopie.com/es/list  
http://construsevilla.xopie.com/es/list  
http://tejidos.xopie.com/es/list  
  
www.evilcode.com.ar & templesec.org   
+=============================================================================================+  
+ Xopie Virtual Shop & XSS & Allow Execute Evil Remote Code +  
+=============================================================================================+  
  
  
`