The Click and Build online eCommerce platform suffers from cross site scripting flaws.
6c6ea864e68c41963fd5902ca74a270ebcd833579e2044b24db470808208e7cc
ClickandBuild: http://apply.clickandbuild.com/
Online eCommerce platform.
Vulnerability
The vulnerability lies in the "listPos" variable in the script running
at cashncarrion.co.uk.
It does not properly secure user inputted variables, presumably as the
user is not supposed to input the variable but can do easily through
the URL.
I was not able to find any other unchecked variables that are printed,
but there could be more.
More information and examples can be found here:
http://www.wheresthebeef.co.uk/XSS/clicknbuild.html
and here:
http://www.wheresthebeef.co.uk/XSS/cash.n.carrion.co.uk.html
The vendor has been informed and claim to have fixed this problem.
--
zxy_rbt2