https://www.exploit-db.com/exploits/21553
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-526

MewsoftNetAuction3.0版本的auction.cgi存在跨站脚本(XSS)漏洞。远程攻击者可以借助Term参数作为其他用户执行任意脚本。

source: http://www.securityfocus.com/bid/5023/info

NetAuction does not filter HTML code from URI parameters, making it prone to cross-site scripting attacks. Attacker-supplied HTML code may be included in a malicious links. The attacker-supplied HTML code will be executed in the browser of a web user who visits this link, in the security context of the host running NetAuction. Such a link might be included in a HTML e-mail or on a malicious webpage.

http://www.xxxx.com/cgi-bin/auction/auction.cgi?action=Sort_Page&View=Search
&Page=0&Cat_ID=&Lang=English&Search=All&Terms=<script>alert('OopS');</script>&
Where=&Sort=Photo&Dir=

来源:XF
名称:netauction-parameters-css(9365)
链接:http://xforce.iss.net/xforce/xfdb/9365
来源:BID
名称:5023
链接:http://www.securityfocus.com/bid/5023