Full Disclosure mailing list archives
Re: LiteCart 1.3.2: Multiple XSS
From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Fri, 20 Nov 2015 15:42:31 +0100
Hi, These vulnerabilities are similar, as both of them are issues with the query parameter of the search. However, the issue in version 1.1.2.1 exploits this line: <?php if ($_GET['query']) { ?> <h1 class="title"><?php echo sprintf(language::translate('title_search_results_for_s', 'Search Results for "%s"'), $_GET['query']); ?></h1> <?php } ?> This issue was fixed in version 1.2 by passing the query parameter to htmlspecialchars before passing it to sprintf. The issue in version 1.3.2 is that the query parameter is also echoed unencoded inside the title tag, which is why the POC contains </title>. Best Curesec Research Team Am 11/18/2015 um 6:50 PM schrieb Henri Salo:
On Fri, Nov 13, 2015 at 05:07:01PM +0100, Curesec Research Team (CRT) wrote:2. XSS 1 http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script> 5. Solution To mitigate this issue please upgrade at least to version 1.3.3:This seems to be the same vulnerability as CVE-2014-7183[1] found by Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the changelog. 1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183 2: https://www.netsparker.com/xss-vulnerabilities-in-litecart/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- LiteCart 1.3.2: Multiple XSS Curesec Research Team (CRT) (Nov 14)
- Re: LiteCart 1.3.2: Multiple XSS Henri Salo (Nov 19)
- Re: LiteCart 1.3.2: Multiple XSS Curesec Research Team (CRT) (Nov 24)
- Re: LiteCart 1.3.2: Multiple XSS Henri Salo (Nov 19)