BluePay Manager v2.0 Script Insertion Vulnerability

2006-04-18T00:00:00
ID SECURITYVULNS:DOC:12277
Type securityvulns
Reporter Securityvulns
Modified 2006-04-18T00:00:00

Description

BluePay Manager v2.0 Script Insertion Vulnerability

Vuln. discovered by : r0t Date: 18 april 2006 vendor:bluepay.com affected versions:v2.0 and previous orginal advisory: http://pridels.blogspot.com/2006/04/bluepay-manager-v20-script-insertion.html

Vuln. description:

Input passed to the "Account Name","Username", field parameters in when user try to login is not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.

example:

only manually check:

https://secure.bluepay.com/login

type in those fields some XSS checking charters and you will see.

Solution: Edit the source code to ensure that input is properly sanitised.

More information @ unsecured-systems.com/forum/