| VID |
21173 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Agora.cgi CGI has a cross-site scripting vulnerability.
The Agora.cgi is a freely available, open source e-commerce shopping cart system.
Due to poor input validation, non-filtering HTML tags adequately, the Agora.cgi is vulnerable to a cross-site scripting attack. Debug mode is not enabled by default and must be explicitly turned on by an administrator. As a result, it is possible for an attacker to construct a link to the script that includes maliciously constructed script code. When the link is clicked by a web user, the script code will be executed by the client in the context of the site running Agora.cgi.
This issue may be exploited by an attacker to steal cookie-based authentication credentials, permitting the attacker to hijack an Agora.cgi session and perform actions as a legitimate user. This vulnerability is ONLY present when debug mode is enabled. The Agora.cgi 4.0e is not vulnerable. |
| Recommendation |
Upgrade to the latest version (4.0e and later) of Agora.cgi from http://www.agoracgi.com. |
| Related URL |
CVE-2001-1199 (CVE) |
| Related URL |
3702 (SecurityFocus) |
| Related URL |
7708 (ISS) |
|
