lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <564F3157.1000406@curesec.com>
Date: Fri, 20 Nov 2015 15:42:31 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: Henri Salo <henri@...v.fi>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] LiteCart 1.3.2: Multiple XSS

Hi,

These vulnerabilities are similar, as both of them are issues with the
query parameter of the search.

However, the issue in version 1.1.2.1 exploits this line:

      <?php if ($_GET['query']) { ?>
    <h1 class="title"><?php echo
sprintf(language::translate('title_search_results_for_s', 'Search
Results for &quot;%s&quot;'), $_GET['query']); ?></h1>
    <?php } ?>

This issue was fixed in version 1.2 by passing the query parameter to
htmlspecialchars before passing it to sprintf.

The issue in version 1.3.2 is that the query parameter is also echoed
unencoded inside the title tag, which is why the POC contains </title>.

Best
Curesec Research Team

Am 11/18/2015 um 6:50 PM schrieb Henri Salo:
> On Fri, Nov 13, 2015 at 05:07:01PM +0100, Curesec Research Team (CRT) wrote:
>> 2. XSS 1
>> http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script>
>> 5. Solution
>> To mitigate this issue please upgrade at least to version 1.3.3:
> 
> This seems to be the same vulnerability as CVE-2014-7183[1] found by
> Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the
> changelog.
> 
> 1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183
> 2: https://www.netsparker.com/xss-vulnerabilities-in-litecart/
> 
> 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ