AbanteCart 1.1.3 (index.php) Multiple Reflected XSS Vulnerabilities

2013-02-13T00:00:00
ID ZSL-2013-5125
Type zeroscience
Reporter Gjoko Krstic
Modified 2013-02-13T00:00:00

Description

Title: AbanteCart 1.1.3 (index.php) Multiple Reflected XSS Vulnerabilities
Advisory ID: ZSL-2013-5125
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 13.02.2013

Summary

AbanteCart is a free PHP based eCommerce solution for merchants to provide ability creating online business and sell products online quick and efficient.

Description

AbanteCart suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to 'index.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

Belavier Commerce - <http://www.abantecart.com>

Affected Version

1.1.3

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a

Vendor Status

[16.02.2013] Vendor releases fix for these issues.

PoC

abantecart_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://cxsecurity.com/issue/WLB-2013020095>
[2] <http://packetstormsecurity.com/files/120273>
[3] <http://secunia.com/advisories/52165/>
[4] <http://www.securelist.com/en/advisories/52165>
[5] <http://1337day.com/exploit/20358>
[6] <http://www.osvdb.org/show/osvdb/90225>
[7] <http://xforce.iss.net/xforce/xfdb/82073>
[8] <http://www.securityfocus.com/bid/57948>
[9] <http://forum.abantecart.com/index.php/topic,635.0.html>

Changelog

[13.02.2013] - Initial release
[14.02.2013] - Added reference [2], [3], [4] and [5]
[15.02.2013] - Added reference [6]
[16.02.2013] - Added reference [7] and [8]
[17.02.2013] - Added vendor status and reference [9]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;