Prozilla Real Estate Script Lets Remote Users Bypass the Payment Process
|
|
SecurityTracker Alert ID: 1009592 |
|
SecurityTracker URL: http://securitytracker.com/id/1009592
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 30 2004
|
Impact:
Modification of user information
|
Vendor Confirmed: Yes Exploit Included: Yes
|
|
Description:
Jason reported a vulnerability in the Prozilla Real Estate script. A remote user can bypass the payment process to obtain listing credits.
It is reported that a remote user can obtain an account, add a listing, select a payment method, logout without paying, and then login again to obtain listing credits.
The flaw reportedly resides in the 'payment.php' script.
The specific exploit steps are described in the original advisory, available at:
http://hypershack.com/forum/index.php?act=ST&f=2&t=114
|
Impact:
A remote user can bypass the payment process and obtain listing credits.
|
Solution:
The vendor is working on a fix.
|
Vendor URL: www.prozilla.com/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 29 Mar 2004 19:21:29 -0800
Subject: Prozilla - Real Estate Site Script - Listings vulnerability
|
The details have been posted in this forum a few minutes ago:
http://hypershack.com/forum/index.php?act=ST&f=2&t=114&s=1f62c63d654bb608f0c7e1d8069688e9
regards,
JT
|
|
