Main Menu

VIP Services

Critical Alerts

- 28 May 2008

Adobe Flash Player Unspecified Remote Code Execution Vulnerability

 

- 11 Mar 2008

Microsoft Excel Multiple Remote Code Execution Vulnerabilities

 

- 16 Jan 2008

Microsoft Excel File Handling Remote Arbitrary Code Execution Vulnerability

 

- 13 Dec 2007

JustSystems Ichitaro "JSGCI.DLL" Document Processing Remote Buffer Overflow Vulnerability

 

- 11 Dec 2007

Microsoft Internet Explorer Multiple Remote Memory Corruption Vulnerabilities

 

Advisories » Photo Cart "amessage" Parameter Handling Remote Cross-Site Scripting Vulnerability

 

Release Date: 25/03/2008 Severity: Less Critical Less Critical
SecWatch Advisory: SWID1020729 Cause: Input validation error
Solution Status: Vendor Patch Impact: Cross Site Scripting
Exploit Status: None Available Access Vector: From remote
 
Affected Software: Photo Cart 4.x
 
Original Advisory: http://www.picturespro.com/community/forums/photo_cart/index.php?see=v..
CVE: CVE-2008-1536
Secunia: SA29490

 

Description:

An input validation vulnerability in Photo Cart has been reported, which can be exploited by remote users to conduct cross-site scripting attacks.

User-supplied input passed to the "amessage" parameter in index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

 

Affected:

Photo Cart version 4.1.

 

Solution:

The vulnerability has been fixed, apply patch:
http://www.picturespro.com/sp/

 

Credits:

Russ McRee, Holistic InfoSec.org

 

Free Vulnerability Notification Service

Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.