<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions.
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Akamai <larry0 () me com>
Date: Wed, 02 Oct 2019 06:42:19 -0400
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Title: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions.
Author: Larry W. Cashdollar @_larry0
Date: 2019-09-18
CVE-IDs: CVE-2019-8288 CVE-2019-8289 CVE-2019-8290 CVE-2019-8291
Download Site: https://www.abcprintf.com/view_download.php?id=17
Vendor: adcprintf
Vendor Notified: 2019-09-18
Vendor Contact: abcprintf () gmail com
Advisory: http://www.vapidlabs.com/advisory.php?v=210
Description: "Online store system" is a drop in customizable electronic store front. It has an administrative interface
allowing user and product management.
Vulnerability:
The application contains stored XSS vulnerabilities throughout the form page user_view.php as none of the variables
are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing
code into their login information form and waiting for an administrative user to navigate to the users panel.
CVE-2019-8288
159 echo '<td>'.$row['adidas_member_user'].'</td>';
CVE-2019-8289
160 echo '<td>'. $row['adidas_member_email'] . '</td>';
CVE-2019-8290 The registration form requirements for the member email format can be bypassed by posting directly to
sent_register.php allowing special characters to be included and an XSS payload to be injected.
CVE-2019-8291 The code in delete_file.php doesn't check to see if a user has administrative rights nor does it check
for path traversal allowing a '..' to delete arbitrary files owned by the httpd process.
CVE-2019-8292 The code in delete_product.php doesn't check to see if a user has administrative rights before allowing
them to delete a product from the database.
Exploit Code:
1. Set login name or email to "><script>alert(1);</script>
2. $ curl -s cookie.txt -X POST -d "username=jsmith&password=jsmith123&email=\"><script>alert(1);</script>%40email.com"
http://example.com/pso/sent_register.php
3.
4.
5. $ curl -s cookie.txt "http://example.com/pso/admin/delete_file.php?id=0&filename=../women.php";
6.
7. $ curl -s cookie.txt http://example.com/pso/admin/product_delete.php?id=4
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions. Akamai (Oct 02)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->