Lucene search
+L

LiteCart 1.3.2 Cross Site Scripting

🗓️ 16 Nov 2015 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

LiteCart 1.3.2 XSS Vulnerabilities Fixed in 1.3.

Code
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: LiteCart 1.3.2  
Fixed in: 1.3.3  
Fixed Version Link: https://www.litecart.net/downloading?version=1.3.3.1  
Vendor Contact: [email protected]  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 09/07/2015  
Disclosed to public: 11/13/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. XSS 1  
  
Description  
  
The query parameter of the search is vulnerable to XSS.  
  
Proof of Concept  
  
  
http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script>  
  
Code  
  
  
public_html/pages/search.inc.php  
document::$snippets['title'][] = empty($_GET['query']) ? language::translate('title_search_results', 'Search Results') : sprintf(language::translate('title_search_results_for_s', 'Search Results for "%s"'), $_GET['query']);  
  
3. XSS 2  
  
Description  
  
The value of the GET parameter slide_id is passed to trigger_error if it is an  
invalid id. trigger_error does not encode input, and as LiteCart shows errors  
by default, this leads to an XSS vulnerability.  
  
Proof of Concept  
  
  
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=slides&doc=edit_slide&page=1&slide_id=<script>alert(1)</script>  
  
Code  
  
  
includes/controllers/ctrl_slide.inc.php  
if (empty($this->data)) trigger_error('Could not find slide ('. $slide_id .') in database.', E_USER_ERROR);  
  
4. XSS 3  
  
Description  
  
The value of the GET parameter doc is passed to trigger_error if it is invalid.  
trigger_error does not encode input, and as LiteCart shows errors by default,  
this leads to an XSS vulnerability. Additionally, the accessing of non-existing  
array values leads to a notice, which contains the index unsanitized. Because  
of this, $app_config['docs'][$_GET['doc']] can also lead to XSS.  
  
Proof of Concept  
  
  
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=appearance&doc=<script>alert(1)</script>  
  
Code  
  
  
admin/index.php  
if (!empty($_GET['doc'])) {  
if (empty($app_config['docs'][$_GET['doc']]) || !file_exists(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']])) trigger_error($_GET['app'] .'.app/'. $_GET['doc'] . ' is not a valid admin document', E_USER_ERROR);  
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']]);  
} else {  
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$app_config['default']]);  
}  
  
5. Solution  
  
To mitigate this issue please upgrade at least to version 1.3.3:  
  
https://www.litecart.net/downloading?version=1.3.3.1  
  
Please note that a newer version might already be available.  
  
6. Report Timeline  
  
09/07/2015 Informed Vendor about Issue  
10/05/2015 Vendor releases fix  
11/13/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/LiteCart-132-Multiple-XSS-72.html  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Nov 2015 00:00Current
7.4High risk
Vulners AI Score7.4
30