HSC Research Group -
Written by Hackers Center
Saturday, 05 May 2007 10:34
[HSC] HSPcomplete PCC Multiple HTML Injection vulnerabilities
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
Hackers Center Security Group (http://www.hackerscenter.com)
Class: Input Validation Error
Local: Yes - PCC
Version: HSPcomplete - (Provider Control Center)
* Exploit is not needed, Attackers can exploit these issues via a web client.
Details: (These are details of the application functions)
- New Customer
+ Support Manager - Setup
- Queues, Mail Gates, Priorities & Category
+ Subscription Manager
- New Credit Term
+ Reseller Manager
- Terms and Conditions
+ Customer Manager
- New Account
- New Reseller Account
+ * User profile is also vul to HTML Injections
+ Miscellaneous settings
- Email Setup
- PDF Generator Setup
- Printable Forms - "new Print Form"
- License Manager - "Log Settings"
[Marketing Director ]
+ Brand Manager
- Skins Customization
+ Anti-fraud Manager
- Recurring Order Creation - Rule Settings "Condition" Has HTMl injection
- "Login" under "Anti-Fraud Filters" has bug
- Reseller Stores & Configure Store - Referrals - Edit - "Add"
+ Discount Manager
- New Promotion
- Product Manager - "Custom Attributes"
+ Virtuozzo Manager
- Application Categories - New Category