During communication with the vendor of Whois.Cart regarding previous
entries, Alexandre Lemaire was very helpful and prompt in providing
information for the OSVDB team to resolve outstanding questions. During
the communication, a few low concern issues were found. Mr. Lemaire
and his team fixed the issues within one hour of my mail.

Brian Martin
OSVDB.org

--

From: security curmudgeon <jericho@attrition.org>
To: S. Alexandre M. Lemaire <saeven@saeven.net>
Cc: Mods <moderators@osvdb.org>
Date: Fri, 8 Jul 2005 02:01:03 -0400 (EDT)
Subject: [OSVDB Mods] Re: [Change Request] 17460: Whois.Cart language Variable Traversal Arbitrary File Access 


Hi Alexandre,

[..]

In the mean time, while poking around http://whoiscart.net/demo/ I did 
find some other valid XSS vulnerabilities.

/demo/admin/index.php "domains" option, clicking the + on the left then 
putting in <script>alert('Vulnerable')</script> as the domain name will 
create a persistant XSS. Clicking 'save' returns me to the demo main page 
and pops up my vulnerable warning. Each time that page loads, the script 
pops up again until I delete the domain.

clicking the "hosts" option, create a new plan (or cyclic fee, or target) 
with the same script code, and it will render the script twice.

clicking the "hosting" option, "Add Line to Hosting Plans", the same 
script in the 'Package' field will render. THe "HKey" variable and others 
may be as well (difficult to tell if it's the previous script rendering or 
new input).

the info.php page also provides a lot of information routinely considered 
sensitive (to the security community) including the installation path, 
configuration options, versions and more.

During one of these XSS attempts, a portion of SQL syntax appeared at the 
top of the page as well which hints at a possible SQL injection scenario.

[..]


From: S. Alexandre M. Lemaire <saeven@saeven.net>
To: security curmudgeon <jericho@attrition.org>
Date: Fri, 8 Jul 2005 02:42:47 -0400
Subject: Re: [Change Request] 17460: Whois.Cart language Variable Traversal Arbitrary File Access 

[..]

    I'll have the most recent CVS snap uploaded to the server, and thank you
for your time with this.  I've just released a patch version with respects
to your findings, thank you for having kindly conveyed them - just my luck
that you'd find something else whilst I'm trying to convince you that
something unrelated is otherwise 'ok'.

[..]