CKGOLD XSS vuln. Vuln. dicovered by : r0t Date: 14 dec. 2005 orginal advisory:http://pridels.blogspot.com/2005/12/ckgold-xss-vuln.html vendor:http://www.cartkeeper.com/ affected version:latest
Product Description: CKGOLD - E-Commerce Shopping Cart Solution The CKGold system is a feature rich shopping cart developed for those wishing to host their own store with fine tuned controls for items, inventory, cart and checkout. Below is a list of some of the great features you will find in CKGold. Over the years we've listened to our clients needs and have designed a rich sets of innovative tools to build an effective e-commerce site. We continually plan for improvements and new features based on client feedback and suggestions.
CKGOLD contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search parameters in "search.php" isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution: Edit the source code to ensure that input is properly sanitised.