Zen Cart v1.3.9f Multiple Remote Vulnerabilities

vendor:

Zen Cart

by:

Gjoko 'LiquidWorm' Krstic

8,8

CVSS

HIGH

Persistent Cross-Site Scripting (XSS) and SQL Injection

89, 89.1

CWE

Product Name: Zen Cart

Affected Version From: 1.3.9f

Affected Version To: 1.3.9f

Patch Exists: YES

Related CWE: N/A

CPE: a:zen_ventures:zen_cart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache 2.2.11 (Win32), PHP 5.3.0, MySQL 5.1.36

2010

Zen Cart v1.3.9f Multiple Remote Vulnerabilities

Zen Cart v1.3.9f suffers from a persistent cross-site scripting (XSS) and SQL injection vulnerability. The SQLi issue lies in 'option_name_manager.php' script in the 'option_order_by' parameter thru the admin UI (post-auth). Input is not sanitized resulting in compromising the db system. The stored/persistent XSS issue lies pretty much everywhere in the admin panel when editing and inserting strings in different categories.

Mitigation:

Upgrade to the latest version of Zen Cart, which includes a patch for this vulnerability.

Source

Exploit-DB raw data:

Zen Cart v1.3.9f Multiple Remote Vulnerabilities


Vendor: Zen Ventures, LLC
Product web page: http://www.zen-cart.com
Version affected: 1.3.9f

Summary: Zen Cart is an online store management system. It is PHP-based, using a MySQL
database and HTML components. Support is provided for numerous languages and currencies,
and it is freely available under the GNU GPL.

Desc: Zen Cart v1.3.9f suffers from a persistent cross-site scripting (XSS) and SQL
injection vulnerability. The SQLi issue lies in "option_name_manager.php" script in the 
"option_order_by" parameter thru the admin UI (post-auth). Input is not sanitized resulting
in compromising the db system.

The stored/persistent XSS issue lies pretty much everywhere in the admin panel when editing
and inserting strings in different categories. Ex:

- In Admin UI go to http://127.0.0.1/admin/record_company.php or Extras > Record Companies
and click "insert". Fill out the 1st or 3rd or 4th field or all of them, with the string:
"<script>alert("xss")</script>" and click save. Now...every time when you go back to that page
it will execute the code for every field.


Tested On: Apache 2.2.11 (Win32)
           PHP 5.3.0
           MySQL 5.1.36


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab - http://www.zeroscience.mk
liquidworm gmail com

19.08.2010


Vendor status: [19.08.2010] - Vulnerability discovered.
               [22.08.2010] - Vendor contacted.
               [22.08.2010] - Vendor responds asking more details.
               [23.08.2010] - Sent PoC files to vendor.
               [25.08.2010] - Vendor confirms vulnerability.
               [02.09.2010] - Asked vendor for patch release date.
               [08.09.2010] - Vendor states approximately 7 days to patch release.
               [20.09.2010] - Asked vendor for status.
               [24.09.2010] - Asked vendor for status again because of no reply from previous mail.
               [28.09.2010] - Vendor informed about advisory release date.
               [29.09.2010] - Vendor releases version 1.3.9g to address these issues.
               [01.10.2010] - Public advisory released.


Advisory ID: ZSL-2010-4966
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4966.php

Vendor Advisory: http://www.zen-cart.com/forum/showthread.php?t=165017


PoC:

 http://127.0.0.1/admin/options_name_manager.php?option_page=1&option_order_by=/ [ EXPLOIT ]