| Aktivate
Shopping Cart Cross Site Scripting Vulnerability
Type Cross Site Scripting Release Date December 18, 2001 Product / Vendor Aktivate is a complete, end-to-end e-commerce solution aimed at Linux and other Unices. Aktivate is targeted at small to medium sized businesses or charities who want to accept credit card payments over the web. http://www.allen-keul.com/aktivate/ Summary Cross Site Scripting, most dynamic websites are still not filtering user input. This lets remote sites access to write scripts on vulnerable sites & application, stealing cookies, performing actions on behalf of user or modifying look of content on site. Aktivate is prone to cross-site scripting attacks. It is possible to construct a link containing arbitrary script code to a website running Aktivate. When a user browses the link, the script code will be executed on the user in the context of the site hosting the affected software. The impact of this issue is that the attacker is able to hijack a legitimate web user's session, by stealing cookie-based authentication credentials. Other cross-site scripting attacks are also possible. https://host/aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=<IMG%20h https://host/aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089& Tested Aktivate 1.03 Vulnerable Aktivate 1.03 (And may be other) Disclaimer http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. Author Tamer Sahin |