zen cart 1.3.9f – Multiple Vulnerabilities

• Exploit Database
• 11 阅读

• 作者： LiquidWorm
  日期： 2010-10-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15165/

• Zen Cart v1.3.9f Multiple Remote Vulnerabilities
  
  
  Vendor: Zen Ventures, LLC
  Product web page: http://www.zen-cart.com
  Version affected: 1.3.9f
  
  Summary: Zen Cart is an online store management system. It is PHP-based, using a MySQL
  database and HTML components. Support is provided for numerous languages and currencies,
  and it is freely available under the GNU GPL.
  
  Desc: Zen Cart v1.3.9f suffers from a persistent cross-site scripting (XSS) and SQL
  injection vulnerability. The SQLi issue lies in "option_name_manager.php" script in the 
  "option_order_by" parameter thru the admin UI (post-auth). Input is not sanitized resulting
  in compromising the db system.
  
  The stored/persistent XSS issue lies pretty much everywhere in the admin panel when editing
  and inserting strings in different categories. Ex:
  
  - In Admin UI go to http://127.0.0.1/admin/record_company.php or Extras > Record Companies
  and click "insert". Fill out the 1st or 3rd or 4th field or all of them, with the string:
  "<script>alert("xss")</script>" and click save. Now...every time when you go back to that page
  it will execute the code for every field.
  
  
  Tested On: Apache 2.2.11 (Win32)
   PHP 5.3.0
   MySQL 5.1.36
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  Zero Science Lab - http://www.zeroscience.mk
  liquidworm gmail com
  
  19.08.2010
  
  
  Vendor status: [19.08.2010] - Vulnerability discovered.
   [22.08.2010] - Vendor contacted.
   [22.08.2010] - Vendor responds asking more details.
   [23.08.2010] - Sent PoC files to vendor.
   [25.08.2010] - Vendor confirms vulnerability.
   [02.09.2010] - Asked vendor for patch release date.
   [08.09.2010] - Vendor states approximately 7 days to patch release.
   [20.09.2010] - Asked vendor for status.
   [24.09.2010] - Asked vendor for status again because of no reply from previous mail.
   [28.09.2010] - Vendor informed about advisory release date.
   [29.09.2010] - Vendor releases version 1.3.9g to address these issues.
   [01.10.2010] - Public advisory released.
  
  
  Advisory ID: ZSL-2010-4966
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4966.php
  
  Vendor Advisory: http://www.zen-cart.com/forum/showthread.php?t=165017
  
  
  PoC:
  
   http://127.0.0.1/admin/options_name_manager.php?option_page=1&option_order_by=/ [ EXPLOIT ]