[webapps / 0day] - Zen Cart v1.3.9f Multiple Remote Vulnerab
Posted on 01 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Zen Cart v1.3.9f Multiple Remote Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 1 Oct 2010 | Exploit category: webapps / 0day | Exploit author: LiquidWorm | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>================================================ Zen Cart v1.3.9f Multiple Remote Vulnerabilities ================================================ Vendor: Zen Ventures, LLC Product web page: http://www.zen-cart.com Version affected: 1.3.9f Summary: Zen Cart is an online store management system. It is PHP-based, using a MySQL database and HTML components. Support is provided for numerous languages and currencies, and it is freely available under the GNU GPL. Desc: Zen Cart v1.3.9f suffers from a persistent cross-site scripting (XSS) and SQL injection vulnerability. The SQLi issue lies in "option_name_manager.php" script in the "option_order_by" parameter thru the admin UI (post-auth). Input is not sanitized resulting in compromising the db system. The stored/persistent XSS issue lies pretty much everywhere in the admin panel when editing and inserting strings in different categories. Ex: - In Admin UI go to http://127.0.0.1/admin/record_company.php or Extras > Record Companies and click "insert". Fill out the 1st or 3rd or 4th field or all of them, with the string: "<script>alert("xss")</script>" and click save. Now...every time when you go back to that page it will execute the code for every field. Tested On: Apache 2.2.11 (Win32) PHP 5.3.0 MySQL 5.1.36 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic Zero Science Lab - http://www.zeroscience.mk liquidworm gmail com 19.08.2010 Vendor status: [19.08.2010] - Vulnerability discovered. [22.08.2010] - Vendor contacted. [22.08.2010] - Vendor responds asking more details. [23.08.2010] - Sent PoC files to vendor. [25.08.2010] - Vendor confirms vulnerability. [02.09.2010] - Asked vendor for patch release date. [08.09.2010] - Vendor states approximately 7 days to patch release. [20.09.2010] - Asked vendor for status. [24.09.2010] - Asked vendor for status again because of no reply from previous mail. [28.09.2010] - Vendor informed about advisory release date. [29.09.2010] - Vendor releases version 1.3.9g to address these issues. [01.10.2010] - Public advisory released. Advisory ID: ZSL-2010-4966 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4966.php Vendor Advisory: http://www.zen-cart.com/forum/showthread.php?t=165017 PoC: http://127.0.0.1/admin/options_name_manager.php?option_page=1&option_order_by=/ [ EXPLOIT ] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-01]</pre></body></html>
