MakeBid Auction Deluxe Cross-Agent Scripting Vulnerability

MakeBid Auction Deluxe is software for hosting real-time auctions on a website. It is written in Perl and will run on most Unix and Linux variants.

MakeBid Auction Deluxe does not filter script code from form fields. As a result, an attacker may include malicious script code, which will be executed when auction items are viewed by another legitimate user of the website running the vulnerable software. The malicious script code will be executed in the browser of the legitimate user, in the context of the MakeBid Auction Deluxe website.

This may allow an attacker to steal cookie-based authentication credentials from a legitimate user. In combination with BugTraq ID 4070 "MakeBid Auction Deluxe Plaintext Cookie Vulnerability", it is trivial for an attacker to hijack the account of an auction user.


Privacy Statement
Copyright 2010, SecurityFocus