Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Commerce)  >   Aktivate Vendors:   Allen and Keul Web Solutions
Allen Keul's Aktivate E-commerce System Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1003010
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 19 2001
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.03; possibly other versions
Description: reported a vulnerability in the Aktivate e-commerce system. A remote user can conduct cross-site scripting attacks, potentially accessing another user's cookies associated with an Aktivate-enabled web site.

It is reported that Aktivate does not properly filter user-supplied input. A remote user can create HTML in a web page or HTML-based e-mail that includes a malicious link to an Aktivate-enabled web site, where the link contains embedded javascript. When that link is accessed by another user, the javascript code will execute on the other user's browser. The code will appear to originate from the web site running the Aktivate commerce system and will execute in that security domain. As a result, the code may be able to access the user's cookies associated with the Aktivate site and take actions on behalf of that user.

The following type of URLs can be used to trigger the vulnerability:



Impact:   A remote user can create malicious code that, when executed by another user, may be able to access the other user's cookies associated with an Aktivate-enabled commerce web site and take actions on behalf of that user.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  Aktivate Shopping System Cross Site Scripting Vulnerability

Hash: SHA1

Aktivate Shopping System Cross Site Scripting Vulnerability

Cross Site Scripting

Release Date:
December 18, 2001

Product / Vendor:
Aktivate is a complete, end-to-end e-commerce solution aimed at Linux
and other Unices. Aktivate is targeted at small to medium sized
businesses or charities who want to accept credit card payments over
the web.

Cross Site Scripting, most dynamic websites are still not filtering
user input. This lets remote sites access to write scripts on
vulnerable sites & application, stealing cookies, performing actions
on behalf of user or modifying look of content on site.



Aktivate 1.03

Aktivate 1.03 (And may be other)

Disclaimer: is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Tamer Sahin

Tamer Sahin
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0

Version: PGPfreeware 6.5.3 for non-commercial use <>



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC