Comersus BackOffice Plus Cross site scripting

#####################################################
Comersus BackOffice Plus Cross site scripting
Vendor url:http://www.comersus.com/demo.html
Advisore:http://lostmon.blogspot.com/2005/10/
comersus-backoffice-plus-cross-site.html
vendor notify:yes exploit available:yes
OSVDB ID:20032
Secunia:17219
Securitytracker:1015064
BID:15118
######################################################

Comersus BackOffice Plus contains a flaw that allows a remote
cross site scripting attack.This flaw exists because the
application does not validate some variables upon submission to
comersus_backoffice_searchItemForm.asp script.This could allow
a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.

#############
version:
##############

Comersus Backoffice plus

###########
solution:
###########

No solution was available at this time.

####################
Timeline
####################

discovered: 24-09-2005
vendor notify:28-09-2005
vendor response:28-09-2005
vendor especific bug report: 7-10-2005
Vendor response:-----------
disclosure: 16-10-2005

##################
Proof of comcept:
##################

For exploit this flaw you must be logged...

http://[victim]/backOfficePlus/comersus_backoffice_searchItemForm.asp?
forwardTo1=[XSS-CODE]comersus_backoffice_listAssignedCategories.asp&
forwardTo2=[XSS-CODE]&nameFT1=[XSS-CODE]Select&nameFT2=[XSS-CODE]

all variables are vulnerables to Cross site
scripting

##################### €nd #####################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Lostmon Blogger