Vulnerability - cpCommerce - XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerability - cpCommerce - XSS
From: jadoba@xxxxxxxxxx
Date: 25 May 2007 14:04:18 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

cpcommerce is a FOSS php-based e-commerce (shopping cart) web application. 

Exploit: Javascript placed inside a user's "Full Name:" field will not be 
stripped - it will be added to the database 'as-is' as long as it has no 
quotations in the string. When the admin goes to the clients view page, the 
javascript is executed as the rogue client's name appears. 

Gravity: The attacker can potentially fetch the admin's cookie or do a vast 
amount of other things.

Complication: This is very trivial to reproduce. Anyone with experience coding 
javascript can presently take advantage of the admin account of any unpatched 
cpcommerce shopping cart.

This is only one aspect of this cross-site scripting vulnerability. I still 
have yet to test other parts of my site which have user-inputted information 
such as product reviews and order forms.

I tested this with 1.1.0 (the latest version) - the OS is debian etch running 
apache2, php5 and mysql5. I suspect that earlier versions of cpcommerce are 
most likely also vulnerable.

Prev by Date: Web Directory / Search Engine v2.0 Authentication Bypass/Database Download Vulne
Next by Date: TSLSA-2007-0019 - multi
Previous by thread: Web Directory / Search Engine v2.0 Authentication Bypass/Database Download Vulne
Next by thread: TSLSA-2007-0019 - multi
Index(es):
- Date
- Thread