Vulners
Lucene search
LiteCart 1.3.2 Cross Site Scripting Vulnerability
1. Introduction
Affected Product: LiteCart 1.3.2
Fixed in: 1.3.3
Fixed Version Link: https://www.litecart.net/downloading?version=1.3.3.1
Vendor Contact: [email protected]
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 11/13/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. XSS 1
Description
The query parameter of the search is vulnerable to XSS.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script>
Code
public_html/pages/search.inc.php
document::$snippets['title'][] = empty($_GET['query']) ? language::translate('title_search_results', 'Search Results') : sprintf(language::translate('title_search_results_for_s', 'Search Results for "%s"'), $_GET['query']);
3. XSS 2
Description
The value of the GET parameter slide_id is passed to trigger_error if it is an
invalid id. trigger_error does not encode input, and as LiteCart shows errors
by default, this leads to an XSS vulnerability.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=slides&doc=edit_slide&page=1&slide_id=<script>alert(1)</script>
Code
includes/controllers/ctrl_slide.inc.php
if (empty($this->data)) trigger_error('Could not find slide ('. $slide_id .') in database.', E_USER_ERROR);
4. XSS 3
Description
The value of the GET parameter doc is passed to trigger_error if it is invalid.
trigger_error does not encode input, and as LiteCart shows errors by default,
this leads to an XSS vulnerability. Additionally, the accessing of non-existing
array values leads to a notice, which contains the index unsanitized. Because
of this, $app_config['docs'][$_GET['doc']] can also lead to XSS.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=appearance&doc=<script>alert(1)</script>
Code
admin/index.php
if (!empty($_GET['doc'])) {
if (empty($app_config['docs'][$_GET['doc']]) || !file_exists(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']])) trigger_error($_GET['app'] .'.app/'. $_GET['doc'] . ' is not a valid admin document', E_USER_ERROR);
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']]);
} else {
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$app_config['default']]);
}
5. Solution
To mitigate this issue please upgrade at least to version 1.3.3:
https://www.litecart.net/downloading?version=1.3.3.1
Please note that a newer version might already be available.
6. Report Timeline
09/07/2015 Informed Vendor about Issue
10/05/2015 Vendor releases fix
11/13/2015 Disclosed to public
# 0day.today [2018-04-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Nov 2015 00:00Current
6.7Medium risk
Vulners AI Score6.7