shop-xss.txt

`*Overview*  
http://wwww.shopathometv.com, A popular website whos television program runs  
late night on local syndicated television is vulnerable to multiple xxs  
flaws. While shopping their site last night, they did not have a product I  
was looking for when I entered an item number so I decided to test a few  
things.  
  
*1st Problem:*  
  
The main search box input is not sanitized on the front page. Simply go to  
http://www.shopathometv.com and in their product search box type in  
<script>alert(document.cookie);</script> hit the Go inside the circle. When  
the page finishes loading if you are a user signed up (have'nt tested not  
signed up) you will get displayed all of your session variables.  
  
*2nd Problem*  
  
On the The following page there is an xxs inside the showTitle GET variable.  
Click the link below  
https://www.shopathometv.com/programguide/thumbnail.jsp?date=null&showId=3203180&showTitle=<script>alert(document.cookie);</script>&sortType=Best%20Selling  
  
*Fix*  
Sanitize all input variables.  
  
*Conclusion*  
not be shopping there until this is fixed.  
  
-suckure  
`