oss-sec mailing list archives
Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions.
From: Akamai <larry0 () me com>
Date: Wed, 02 Oct 2019 06:42:19 -0400
Title: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions. Author: Larry W. Cashdollar @_larry0 Date: 2019-09-18 CVE-IDs: CVE-2019-8288 CVE-2019-8289 CVE-2019-8290 CVE-2019-8291 Download Site: https://www.abcprintf.com/view_download.php?id=17 Vendor: adcprintf Vendor Notified: 2019-09-18 Vendor Contact: abcprintf () gmail com Advisory: http://www.vapidlabs.com/advisory.php?v=210 Description: "Online store system" is a drop in customizable electronic store front. It has an administrative interface allowing user and product management. Vulnerability: The application contains stored XSS vulnerabilities throughout the form page user_view.php as none of the variables are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing code into their login information form and waiting for an administrative user to navigate to the users panel. CVE-2019-8288 159 echo '<td>'.$row['adidas_member_user'].'</td>'; CVE-2019-8289 160 echo '<td>'. $row['adidas_member_email'] . '</td>'; CVE-2019-8290 The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected. CVE-2019-8291 The code in delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal allowing a '..' to delete arbitrary files owned by the httpd process. CVE-2019-8292 The code in delete_product.php doesn't check to see if a user has administrative rights before allowing them to delete a product from the database. Exploit Code: 1. Set login name or email to "><script>alert(1);</script> 2. $ curl -s cookie.txt -X POST -d "username=jsmith&password=jsmith123&email=\"><script>alert(1);</script>%40email.com" http://example.com/pso/sent_register.php 3. 4. 5. $ curl -s cookie.txt "http://example.com/pso/admin/delete_file.php?id=0&filename=../women.php" 6. 7. $ curl -s cookie.txt http://example.com/pso/admin/product_delete.php?id=4
Current thread:
- Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions. Akamai (Oct 02)