####################################################################### ZeusCart Ecommerce Shopping Cart Software Cross-Site scripting Vulnerability SecPod Technologies (www.secpod.com) Author Sooraj K.S ####################################################################### SecPod ID: 1003 07/28/2010 Issue Discovered 07/30/2010 Vendor Notified No Response from Vendor Class: Cross-Site Scripting Severity: Medium Overview: --------- ZeusCart Ecommerce Shopping Cart Software is prone to cross-site scripting vulnerability. Technical Description: ---------------------- ZeusCart Ecommerce Shopping Cart Software is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Input passed via the 'search' parameter in a 'search' action in index.php is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The vulnerability has been tested in ZeusCart 3.0 and 2.3. Other versions may also be affected. Impact: -------- Successful exploitation allows an attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. Affected Software: ------------------ ZeusCart 3.0 ZeusCart 2.3 Tested on, ZeusCart 3.0 and 2.3 (tested using Microsoft Internet Explorer browser) Reference: --------- http://www.zeuscart.com/ http://secpod.org/blog/?p=109 http://secpod.org/advisories/SECPOD_ZeusCart_XSS.txt Proof of Concept: ----------------- 1)Input this code in search box and click search '"%22%20style=x:expression(alert(document.cookie))><" This script executed only on Microsoft Internet Explorer browser when tested on ZeusCart 3.0 and 2.3 2) This example worked on ZeusCart version 2.3 http://www.example.com/?do=search&search='">