Prozilla Real Estate Script Lets Remote Users Bypass the Payment Process
|
|
SecurityTracker Alert ID: 1009592
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 30 2004
|
Impact: Modification of user information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Description: Jason reported a vulnerability in the Prozilla Real Estate script. A remote user can bypass the payment process to obtain listing credits.
It is reported that a remote user can obtain an account, add a listing, select a payment method, logout without paying, and then
login again to obtain listing credits.
The flaw reportedly resides in the 'payment.php' script.
The specific exploit steps
are described in the original advisory, available at:
http://hypershack.com/forum/index.php?act=ST&f=2&t=114
|
Impact: A remote user can bypass the payment process and obtain listing credits.
|
Solution: The vendor is working on a fix.
|
Vendor URL: www.prozilla.com/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Jason <jason@neosin.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 29 Mar 2004 19:21:29 -0800
From: Jason <jason@neosin.com>
Subject: Prozilla - Real Estate Site Script - Listings vulnerability
|
The details have been posted in this forum a few minutes ago:
http://hypershack.com/forum/index.php?act=ST&f=2&t=114&s=1f62c63d654bb608f0c7e1d8069688e9
regards,
JT
|
|
