[VIM] vendor ack/fix - OSVDB ID: 21716 (fwd)

security curmudgeon jericho at attrition.org
Tue Jan 24 13:44:13 EST 2006



---------- Forwarded message ----------
From:
To: moderators at osvdb.org
Date: Tue, 24 Jan 2006 13:28:59 -0500
Subject: [OSVDB Mods] OSVDB ID: 21716

Official reply from Kryptronic (developers of ClickCartPro):

Kryptronic, developer of ClickCartPro software, has issued an update
to all 5.0 and 5.1 version of ClickCartPro which combat this XSS
vulnerability.

More info here:

http://www.clickcartpro.com/forum/index.php?showtopic=12172

Public statement concerning the update:

This update contains modifications to the ClickCartPro codebase. These
new codebase modifications create a wrapper for public CGI requests
and strips characters from incoming formdata for those public CGI
requests.

The use of this wrapper prevents user submitted formdata containing
HTML characters from being printed literally within the display
routines.  ClickCartPro has begun to fail tests performed by site
scanning bots because of a positive return on cross-site-scripting
tests.

To ensure these tests are passed by your site in the future and to
avoid security warnings from your hosting provider, we recommend you
apply this update.



Nick Hendler
Kryptronic, Inc.

Corporate: http://www.kryptronic.com/
Software:  http://www.clickcartpro.com/



More information about the VIM mailing list