Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Magento Community Edition 1.3.2.43 Cross Site Scripting

🗓️ 05 Jan 2010 00:00:00Reported by Justin C. Klein KeaneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 63 Views

Magento Community Edition 1.3.2.43 Cross Site Scripting vulnerability affects product name, SKU, description, customer group, category name, attribute set, and sitemap path

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
The full text of this advisory can be found at:  
http://www.madirish.net/?article=445  
  
Description of Vulnerability:  
- -----------------------------  
Magento (http://www.magentocommerce.com/) is an eCommerce platform  
written in MySQL and PHP. Magento contains numerous serious cross site  
scripting (XSS) vulnerabilities.  
  
Systems affected:  
- -----------------  
Magento community edition version 1.3.2.43 was tested and shown to be  
vulnerable  
  
Mitigating factors  
- ------------------  
None of the vulnerabilities described below can be exploited by  
unauthenticated users. An attacker must have credentials to access the  
site in order to perform the proof of concept attacks detailed below.  
  
Vulnerable fields:  
- ------------------  
The following is a list of fields and presentation screens that suffer  
from cross site scripting vulnerabilities:  
  
== Product Name ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'product name'  
  
Proof of concept:  
1. Click on Catalog -> Manage Products and click the 'Add Product' button  
2. Select default settings and click the 'Continue' button  
3. Enter "<script>alert('xss');</script>" in the 'Name' field  
4. Enter arbitrary data in the other required fields and click the  
'Save' button  
5. Click on Sales -> Orders then 'Create New Order'  
6. Select any customer  
7. Click 'Add Products'  
8. Select the newly created product and lick 'Add Selected Product(s)  
to Order'  
9. Observe the JavaScript alert  
  
== Product SKU ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'product SKU'  
  
Proof of concept:  
1. Create a new product as above, except enter the script value for the  
product SKU  
2. Create a new review of the product from Catalog -> Reviews and  
Ratings -> Cutomer Reviews -> All Reviews and clicking the 'Add New  
Review' button  
3. Save the product review to view the JavaScript  
  
== Product Description ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'product description'. Any Javascript in a  
product description will be rendered when a customer views the product  
details of that product.  
  
== Customer Group Name ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'customer group name'  
  
Proof of concept:  
1. Click on Customers -> Customer Groups  
2. Click the 'Add New Customer Group' button  
3. Enter "<script>alert('xss');</script>" for the 'Group Name'  
4. Click 'Save Customer Group'  
5. Click Customers -> Manage Customers  
6. Observe the JavaScript alert (twice)  
  
== Product Category Name ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'Product category name'  
  
Proof of concept:  
1. Click on Catalog -> Manage Categories  
2. Click on 'Add Root Category'  
3. Click on the 'General Information' tab  
4. Enter "<script>alert('xss');</script>" for the 'Name'  
5. Click the 'Save Category' button  
6. Click the new category name from the left  
7. Observe the Javascript alert  
  
== Attribute Set ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'Attribute set name'  
  
Proof of concept:  
1. Click on Catalog -> Attributes -> Manage Attribute Sets  
2. Click the 'Add New Set' button  
3. Enter "<script>alert('xss');</script>" for the 'Name'  
4. Click 'Save Attribute Set'  
5. Observe the JavaScript alert  
  
== Sitemap Path ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'Sitemap path'  
  
Proof of concept:  
1. Click on Catalog -> Google Sitemap  
2. Click 'Add Sitemap'  
3. Enter "<script>alert('xss');</script>" for the Path  
4. Click 'Save & Generate' button  
5. Observe the Javascript alert  
  
== Customer Tax Class, Product Tax Class, Tax Rate ID ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'Customer tax class name', 'Product tax class  
name', or 'Tax rate id' fields  
  
Proof of concept is only provided for Customer Tax Class (others follow  
same methodology):  
1. Click on Sales -> Tax -> Customer Tax Classes  
2. Click the 'Add New' button  
3. Enter "<script>alert('xss');</script>" for the Class Name  
4. Click 'Save Class'  
5. Click on Sales -> Tax -> Manage Tax Rule  
6. Observe Javascript  
  
N.B. The Product Tax Class XSS also affects the Catalog Advanced Search  
page at index.php/catalogsearch/advanced/  
  
== Poll Question ==  
The Magento platform suffers from a XSS vulnerability because it does  
not properly sanitize the 'Poll Question' or 'Poll Answer' fields  
  
Proof of concept:  
1. Click on CMS -> Poll Manager  
2. Click the 'Add New Poll' button  
3. Enter "<script>alert('xss');</script>" for the Poll Question  
4. Click the 'Poll Answers' tab  
5. Click the 'Add New Answer' button  
6. Enter "<script>alert('xss');</script>" for the Answer Title  
7. Click the 'Save Poll'  
8. Observe the Javascript alerts when the poll renders at index.php  
  
  
== Architecture ==  
Magento stores submitted values in the database without any filtration.  
In this model it becomes imperative that data be filtered for XSS  
before display. Whereas only one point of data input exists, there can  
be countless points of data display that expand beyond Magento core as  
modules are applied. The polluted data layer allows XSS to creep  
forward into display layers with ease unless extreme care is taken by  
developers.  
  
- --   
Justin C. Klein Keane  
http://www.MadIrish.net  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.10 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/  
  
iPwEAQECAAYFAktCFkIACgkQkSlsbLsN1gAvpQb/VH2krfCKertSsXhFANajrmcL  
7efU7cUQ2lJDBAXcbhojgf2G8wJEmShsj91TQ9juEvhG+3tVkffcMoUG2wFMnqrx  
qRlS8gPCGIAdhIfLEpTeRHu2ANRpaJzrUrU9pAGHLPaRC+WTFrLlMfTK9k+jbutE  
RTI2BgzDmX7cOz65CrKsQ4Y6TnNT2RscV1YL/c1VHJesgga7sRiPY/pdFW4mRCPg  
ZcP0Bb78WEN1QAQl6nHtSEqZATvCnkbfiScKE6qfu2sksOlzNFUIqgSgME4mAJY1  
grCgYAC/jMvY8jL4/Q8=  
=eO2B  
-----END PGP SIGNATURE-----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jan 2010 00:00Current
magentocross site scriptingvulnerabilityproduct nameskudescriptioncustomer groupcategory nameattribute setsitemap pathmitigating factorsproof of concept.
63