[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <564F3157.1000406@curesec.com>
Date: Fri, 20 Nov 2015 15:42:31 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: Henri Salo <henri@...v.fi>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] LiteCart 1.3.2: Multiple XSS
Hi,
These vulnerabilities are similar, as both of them are issues with the
query parameter of the search.
However, the issue in version 1.1.2.1 exploits this line:
<?php if ($_GET['query']) { ?>
<h1 class="title"><?php echo
sprintf(language::translate('title_search_results_for_s', 'Search
Results for "%s"'), $_GET['query']); ?></h1>
<?php } ?>
This issue was fixed in version 1.2 by passing the query parameter to
htmlspecialchars before passing it to sprintf.
The issue in version 1.3.2 is that the query parameter is also echoed
unencoded inside the title tag, which is why the POC contains </title>.
Best
Curesec Research Team
Am 11/18/2015 um 6:50 PM schrieb Henri Salo:
> On Fri, Nov 13, 2015 at 05:07:01PM +0100, Curesec Research Team (CRT) wrote:
>> 2. XSS 1
>> http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script>
>> 5. Solution
>> To mitigate this issue please upgrade at least to version 1.3.3:
>
> This seems to be the same vulnerability as CVE-2014-7183[1] found by
> Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the
> changelog.
>
> 1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183
> 2: https://www.netsparker.com/xss-vulnerabilities-in-litecart/
>
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists