+=============================================================================================+
+          Xopie Virtual Shop & XSS & Allow Execute Evil Remote Code                          +
+=============================================================================================+

Author(s):Raul Diaz(Dshellnoi Unix) & Ivan Sanchez (nullcode)
Product:Xopie Virtual Shop
Vendor: http://www.xopie.com
Date: 25/06/2013
Vendor Notified: 10/06/2013 - 15/06/2013 
Answer: for the moment they have not resources to mitigate this issue.

Extract:
xopie is a leading company for a monthly charge that allows customers to start their own business, their clients sell all kinds of products...


Vulnerable Function:
function searchBoxSubmit(event,strDefaultText){if($("#q").val()===""||$("#q").val()==strDefaultText){return cancelEvent(event);}else{return true;}}

Parameter Affected:
q=[INJECT HERE]&commandSearch=Buscar


Remediation: sanitize  parameter


Important: More than 6.500 sites affected, vendor notified

http://www.nxt-telecom.com/es/list
http://www.softcreativa.com
http://airballoons.xopie.com/es/list 
http://www.mueblesmarro.com
http://www.infocrack.cat/es/list
http://www.proyector.org/es/list
http://www.extensionesnaturalesonline.com/es/list
http://vadebisu1.xopie.com/en/list
http://www.omerchandising.com/en/list
http://dprk.xopie.com/en/list
http://www.toolman.es/en/list
http://www.kiteluxe.es/en/list
http://www.amparomaciaonline.es/en/list
http://www.labotigadelbolet.com/en/list
http://www.koolin.cat/en/list
http://www.mariaplantis.com/en/list
http://www.why-not-fly.com/en/list
http://www.hunternature.com/en/list
http://www.informaplay.com/en/list
http://www.complementsperlaindependencia.cat/en/list
http://hobbyocasion.xopie.com/en/list
http://mymarcarbara.xopie.com/es/list
http://labrujula.xopie.com/es/list
http://dicoelecsas.xopie.com/es/list
http://deluzlighting.xopie.com/es/list
http://bazardecalidad.xopie.com/es/list
http://quarentena.xopie.com/es/list
http://comprabarato.xopie.com/es/list
http://digitalsignshop.xopie.com/es/list
http://hinchadecor.xopie.com/tags/index
http://voltimum.xopie.com/es/list
http://mueblesled.xopie.com/es/list
http://jt1electronica.xopie.com/es/list
http://fruitaula.xopie.com/tags/index
http://deliverystores.xopie.com/es/list
http://lamanida.xopie.com/ca/list
http://luminoxhair.xopie.com/es/list
http://auto4x4.xopie.com/es/list
http://merceriabacares.xopie.com/es/list
http://habitacionessev.xopie.com/es/list
http://todoparaiphone.xopie.com/es/list
http://lamejorsalud.xopie.com/es/list
http://jldsantandreu.xopie.com/es/list
http://cuisineslowcost.xopie.com/fr/list
http://caftansecret.xopie.com/es/list
http://hinchables.xopie.com/es/list
http://todovapor.xopie.com/es/list
http://teitos.xopie.com/es/list
http://perfumesdemarca.xopie.com/tags/index
http://mansbotiga.xopie.com/tags/index
http://casaruraljose.xopie.com/es/list
http://taotekinstore.xopie.com/es/list
http://segways.xopie.com/es/list
http://ropazamora.xopie.com/tags/index
http://surfplata.xopie.com/es/list
http://imporchina.xopie.com/es/list
http://zonafd.xopie.com/es/list
http://spainholidays.xopie.com/es/list
http://didicreazioni.xopie.com/es/list
http://oportunidades.xopie.com/es/list
http://humedades.xopie.com/es/list
http://elsupermercado.xopie.com/es/list
http://cuinesladier.xopie.com/es/list
http://esfera.xopie.com/es/list
http://construsevilla.xopie.com/es/list
http://tejidos.xopie.com/es/list

                   www.evilcode.com.ar & templesec.org  
+=============================================================================================+
+            Xopie Virtual Shop & XSS & Allow Execute Evil Remote Code                        +
+=============================================================================================+