Home
Latest images
Search
Register
Log inDHCart Multiple variable XSS and stored XSS
Page 1 of 1
DHCart Multiple variable XSS and stored XSS
andry Thu Sep 23, 2010 5:09 am
###########################################
DHCart Multiple variable XSS and stored XSS
Vendor URL:http://www.dhcart.com/
vendor notify:YES Exploit:YES Patch:YES
###########################################
DHCart is a PHP based application that provides a simple
to use shopping cart for users purchasing domain names
and hosting services.
DHCart is prove vulnerable to Cross site scripting and
stored cross-site scripting.
################
Solution
###############
The vendor has reported that latest version of
DHCart is 3.86 and there is no any security bug
after v3.85.
#############
see this PoC
http://Victim/order.php?dhaction=check&submit_domain=
Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F
script%3E&ext1=on
or
http://Victim/order.php?dhaction=add&d1=lalalalasss
%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=
0&h1=1&addtocart1=on&n=3
in this case the xss is exploitable via url , and it's stored
in the cart, wen the users goes to look his cart the xss
is executed again (stored XSS)
Vulnerable code:
arround line 93 in config.php file we found:
if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value;
this is vulnerable because $value is returned to the users without sanitize.
i have fully pached ... add a function to filter variables and apply this filter to $value variable.
///////////////////////////////////////////////////////////////////////////
// Code below this point should not need modifying. Do so at your own risk!
///////////////////////////////////////////////////////////////////////////
function StopXSS($text)
{
if(!is_array($text))
{
$text = preg_replace("/\(\)/si", "", $text);
$text = strip_tags($text);
$text = str_replace(array("'",""",">","<","\"), "", $text);
}
else
{
foreach($text as $k=>$t)
{
$t = preg_replace("/\(\)/si", "", $t);
$t = strip_tags($t);
$t = str_replace(array("'",""",">","<","\"), "", $t);
$text[$k] = $t;
}
}
return $text;
}
if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value);
######################€nd##################
DHCart Multiple variable XSS and stored XSS
Vendor URL:http://www.dhcart.com/
vendor notify:YES Exploit:YES Patch:YES
###########################################
DHCart is a PHP based application that provides a simple
to use shopping cart for users purchasing domain names
and hosting services.
DHCart is prove vulnerable to Cross site scripting and
stored cross-site scripting.
################
Solution
###############
The vendor has reported that latest version of
DHCart is 3.86 and there is no any security bug
after v3.85.
#############
see this PoC
http://Victim/order.php?dhaction=check&submit_domain=
Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F
script%3E&ext1=on
or
http://Victim/order.php?dhaction=add&d1=lalalalasss
%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=
0&h1=1&addtocart1=on&n=3
in this case the xss is exploitable via url , and it's stored
in the cart, wen the users goes to look his cart the xss
is executed again (stored XSS)
Vulnerable code:
arround line 93 in config.php file we found:
if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value;
this is vulnerable because $value is returned to the users without sanitize.
i have fully pached ... add a function to filter variables and apply this filter to $value variable.
///////////////////////////////////////////////////////////////////////////
// Code below this point should not need modifying. Do so at your own risk!
///////////////////////////////////////////////////////////////////////////
function StopXSS($text)
{
if(!is_array($text))
{
$text = preg_replace("/\(\)/si", "", $text);
$text = strip_tags($text);
$text = str_replace(array("'",""",">","<","\"), "", $text);
}
else
{
foreach($text as $k=>$t)
{
$t = preg_replace("/\(\)/si", "", $t);
$t = strip_tags($t);
$t = str_replace(array("'",""",">","<","\"), "", $t);
$text[$k] = $t;
}
}
return $text;
}
if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value);
######################€nd##################
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» Wowd search client multiple variable xss
» PopnupBlog index.php multiple variables XSS
» bcoos /mysections/ratefile.php lid variable SQL injection
» Yogurt Social Network fans.php uid variable XSS
» Kshop module search variable and field remote XSS
» PopnupBlog index.php multiple variables XSS
» bcoos /mysections/ratefile.php lid variable SQL injection
» Yogurt Social Network fans.php uid variable XSS
» Kshop module search variable and field remote XSS
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|