iScripts MultiCart 2.4 – Persistent Cross-Site Scripting / Cross-Site Request Forgery / Cross-Site Scripting / Cross-Site Request Forgery / Mass Accounts Takeover

# Exploit Title: iScripts MultiCart <=2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover

# Date : 2013/12/14

# Exploit Author : Saadat Ullah ， saadi_linux[at]rocketmail[dot]com

# Software Link: http://www.iscripts.com

# Author HomePage: http://security-geeks.blogspot.com

# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site Scripting

iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which

attacker can manipulate user data via sending him malicious craft url.

XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.

In Product_review.php line 52--- Persistent XSS

mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',

'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());

$_POST['txtReview'] is inserted without sanitizing.

Exploitation

Goto http://site.tld/product_review.php?pid=[any product id]

Paste your xss vector and submit.

XSS vector will be executed here

http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.

# Cross-site request forgery

<html>

<formname="ex"action="http://localhost/profile.php" method=post >

</form>

</html>

# XSS+CSRF Mass Email Change /Mass Account Takeover

XSS+CSRF can be used to change mass user email ,after changing the email we can change the password too via

forget password option and providing email.

Just inject a CSRF iframe as XSS vector on product_review.php

E.g

Inject.html ---> CRSF exploit

So now whenever user browse different products their useremail will be changed automatically.

#Independent Pakistani Security Researcher