iScripts eSwap 2.0 cross site scripting and remote SQL injection

2010-06-07 / 2010-06-08
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79
CWE-89

# Title:iScripts eSwap v2.0 sqli and xss vulnerability # Author: Sid3^effects # Published: 2010-06-05 # price:$99.95 # email:shell_c99@yahoo.com # vendor: iScripts # url : http://www.iscripts.com/eswap/ # google dork : Powered by iScripts eSwap. ############### -------------------------------------------------------------------------------------- ####Sid3^effects aKa HaRi### #Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors] #Thanks:*L0rd rusAd&#234;r*,d4rk-blu&#65533;reg;,R45C4L idi0th4ck3r,CR4C|< 008,M4n0j,MaYuR #ShouTZ:kedar,dec0d3r,41.w4r10r #spl shoutz:LiquidWorm,gunslinger_ :D #Catch us at www.andhrahackers.com or www.teamicw.in ############### Description : iScripts eSwap enables you to create an virtual swapmeet site in minutes. End users can list items for swap, sell or buy. Let end users to swap unwanted items for things they want! Users can add items for sale or swap. They can also add their wish list for trading items. eSwap lets you charge users a fee for listing, featured listing and optional escrow service. Credit card payments through Authorize.net , Paypal, 2checkout and Google checkout are supported. Also offline payment methods are supported. The powerful admin section allows you to have multiple categories, sub categories and control every aspects of the business. This exchange platform is the ultimate green business by helping your users to recycle ############### Sql injection and XSS is found in the eswap script V2.0 Xploit :m/ sqli m/ demo url:http://www.iscripts.com/eswap/demo/addsale.php?type=[Sqli] Xploit: m/ Xss m/ XSS is found in search field :D Attack pattern : '"--><script>alert(0x000872)</script> demo url :http://www.iscripts.com/eswap/demo/search.php ############### #Sid3^effects

References:

http://xforce.iss.net/xforce/xfdb/59147
http://www.vupen.com/english/advisories/2010/1360
http://www.securityfocus.com/bid/40597
http://www.exploit-db.com/exploits/13740/
http://packetstormsecurity.org/1006-exploits/iscriptsewap-sqlxss.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top