|
Family: CGI abuses --> Category: infos
CactuShop XSS and SQL injection flaws Vulnerability Scan
Vulnerability Scan Summary Checks CactuShop flaws
Detailed Explanation for this Vulnerability Test
The remote host runs CactuShop, an e-commerce web application written in ASP.
The remote version of this software is vulnerable to cross-site scripting
due to a lack of sanitization of user-supplied data in the script
'popuplargeimage.asp'.
Successful exploitation of this issue may allow a possible hacker to execute
malicious script code on a vulnerable server.
This version may also be vulnerable to SQL injection attacks in
the scripts 'mailorder.asp' and 'payonline.asp'. The user-supplied
input parameter 'strItems' is not filtered before being used in
an SQL query. Thus the query modification through malformed input
is possible.
Successful exploitation of this vulnerability can enable a possible hacker
to execute commands in the system (via MS SQL the function xp_cmdshell).
Solution: Upgrade to the latest version of this software
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|