# Exploit Title : iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover # Date : 2013/12/14 # Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com # Software Link : http://www.iscripts.com # Author HomePage: http://security-geeks.blogspot.com # Tested on: Server : Apache/2.2.15 PHP/5.3.3 # Cross-site Scripting iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which attacker can manipulate user data via sending him malicious craft url. XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients. In Product_review.php line 52--- Persistent XSS mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."', '".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error()); $_POST['txtReview'] is inserted without sanitizing. Exploitation Goto http://site.tld/product_review.php?pid=[any product id] Paste your xss vector and submit. XSS vector will be executed here http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review. # Cross-site request forgery
# XSS+CSRF Mass Email Change /Mass Account Takeover XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email. Just inject a CSRF iframe as XSS vector on product_review.php E.g Inject.html ---> CRSF exploit So now whenever user browse different products their useremail will be changed automatically. #Independent Pakistani Security Researcher