Comersus BackOffice Plus contains many XSS vulnerabilities. Exploitation provided.
8532dfd39a7c83827ae82ebd4b5879756ce29fc64d579d3c6380ad47b885de18
#####################################################
Comersus BackOffice Plus Cross site scripting
Vendor url:http://www.comersus.com/demo.html
Advisore:http://lostmon.blogspot.com/2005/10/
comersus-backoffice-plus-cross-site.html
vendor notify: yes. exploit available:yes
######################################################
Comersus BackOffice Plus contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the application does
not validate
some variables upon submission to
comersus_backoffice_searchItemForm.asp script.This could allow a user
to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
#############
version:
##############
Comersus Backoffice plus
###########
solution:
###########
No solution was available at this time.
####################
Timeline
####################
discovered: 24-09-2005
vendor notify:28-09-2005
vendor response:28-09-2005
vendor especific bug report: 7-10-2005
Vendor response:-----------
disclosure: 16-10-2005
##################
Proof of comcept:
##################
For exploit this flaw you must be logged...
http://[victim]/backOfficePlus/comersus_backoffice_searchItemForm.asp?forwardTo1=[XSS-CODE]comersus_backoffice_listAssignedCategories.asp&forwardTo2=[XSS-CODE]&nameFT1=[XSS-CODE]Select&nameFT2=[XSS-CODE]
alll variables are vulnerables to Cross site
scripting
##################### nd #####################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....