Arastta 1.1.5: XSS
Date: 2015-12-21 10:56:151. Introduction
| Affected Product: | Arastta 1.1.5 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | http://arastta.org/ |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 11/21/2015 |
| Disclosed to public: | 12/21/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of curesec GmbH |
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
Arastta is an eCommerce software written in PHP. In version 1.1.5, a given URL is echoed unencoded, leading to XSS. This can be used to inject JavaScript keyloggers or to bypass CSRF protection. If the victim is an admin with the right "Tool -> File Manager", this can lead to code execution via the file manager.
3. Proof of Concept
http://localhost/Arastta/index.php/desktops/pc"><script>alert(1)</script>?sort=pd.name&order=DESC
4. Code
/catalog/view/theme/default/template/common/header.tpl
<?php foreach ($links as $link) { ?>
<link href="<?php echo $link['href']; ?>" rel="<?php echo $link['rel']; ?>" />
<?php } ?>
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
| 11/21/2015 | Informed Vendor about Issue (no reply) |
| 12/10/2015 | Reminded Vendor of Disclosure Date (no reply) |
| 12/17/2015 | Disclosed to public |