Amazon Shop 5.0.0 XSS vuln.

Amazon Shop 5.0.0 XSS vuln.

Vuln. dicovered by : r0t
Date: 26 nov. 2005
Orginal advisory:http://pridels.blogspot.com/2005/11/amazon-shop-500-xss-vuln.html
Vendor:http://www.ghostscripter.com/amazon_shop.php
affected version:5.0.0 and prior

Product description:

With Amazon Shop you can run your very own fully functional shop
without dealing with stock, payments etc… just setup an Amazon
Associate account, install the 'Amazon Shop' script using the easy
installation file and your ready to go! You can easily edit which
categories and items are displayed on your site. You can offer any of
the items that Amazon does and earn upto 15% in referal fees. Built-in
shopping cart allows customers to add their product to the cart and
leave your website only when ready to checkout at Amazon.com All pages
are easily modified via the built in WYSIWYG editor (i.e. 6+) Have
mutiple templates installed, insantly changeable through the admin
panel. Optional Dynamic Title, Sort Box, Meta Keywords and Path bar
Custom Categories & Products Automatic DB fill for Hot Deals &
Featured Items. Supports US,UK,DE,JP,FR and CA All languages in
language files for easy change Powerful Admin Panel Optional
mod_rewrite for search engine friendly urls

Vuln. Description:

Input passed to the "query" parameter in "search.php" isn't properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

example:
/search.php?query=%3Cscript%3Ealert%28%27r0t%27%29%3
C%2Fscript%3E&mode=all&imageField.x=21&imageField.y=4

Solution:
Edit the source code to ensure that input is properly sanitised.