Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LiteCart 1.3.2: Multiple XSS

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Fri, 20 Nov 2015 15:42:31 +0100
Hi,

These vulnerabilities are similar, as both of them are issues with the
query parameter of the search.

However, the issue in version 1.1.2.1 exploits this line:

      <?php if ($_GET['query']) { ?>
    <h1 class="title"><?php echo
sprintf(language::translate('title_search_results_for_s', 'Search
Results for &quot;%s&quot;'), $_GET['query']); ?></h1>
    <?php } ?>

This issue was fixed in version 1.2 by passing the query parameter to
htmlspecialchars before passing it to sprintf.

The issue in version 1.3.2 is that the query parameter is also echoed
unencoded inside the title tag, which is why the POC contains </title>.

Best
Curesec Research Team

Am 11/18/2015 um 6:50 PM schrieb Henri Salo:

On Fri, Nov 13, 2015 at 05:07:01PM +0100, Curesec Research Team (CRT) wrote:

2. XSS 1
http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query=";></title><script>alert(1)</script>
5. Solution
To mitigate this issue please upgrade at least to version 1.3.3:


This seems to be the same vulnerability as CVE-2014-7183[1] found by
Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the
changelog.

1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183
2: https://www.netsparker.com/xss-vulnerabilities-in-litecart/




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: