Title: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions. |
Author: Larry W. Cashdollar |
Date: 2019-09-18 |
CVE-ID:[CVE-2019-8288][CVE-2019-8289][CVE-2019-8290][CVE-2019-8291][CVE-2019-8292] |
CWE: |
Download Site: https://www.abcprintf.com/view_download.php?id=17 |
Vendor: adcprintf |
Vendor Notified: 2019-09-18 |
Vendor Contact: abcprintf@gmail.com |
Advisory: http://www.vapidlabs.com/advisory.php?v=210 |
Description: "Online store system" is a drop in customizable electronic storefront. It has an administrative interface allowing user and product management. |
Vulnerability: The application contains stored XSS vulnerabilities throughout the form user_view.php pages as none of the variables are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing code into their login information form and waiting for an administrative user to navigate to the users panel.
CVE-2019-8288
159 echo '<td>'.$row['adidas_member_user'].'</td>';
CVE-2019-8289
160 echo '<td>'. $row['adidas_member_email'] . '</td>';
CVE-2019-8290
The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected.
CVE-2019-8291
The code in delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal allowing a '..' to delete arbitrary files owned by the httpd process.
CVE-2019-8292
The code in delete_product.php doesn't check to see if a user has administrative rights before allowing them to delete a product from the database. |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory