Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross site Scripting in "‘Address’" parameter (Peel Shopping 9.4.0) #4

Open
zerodaywolf opened this issue Oct 26, 2021 · 1 comment

Comments

@zerodaywolf
Copy link

zerodaywolf commented Oct 26, 2021

CVE-2021-27190 updated

Vulnerability

Stored Cross Site Scripting (XSS) in the "Address" field of "http://localhost/peelshopping_9_4_0/utilisateurs/change_params.php"

Affects

Peel Shopping 9.4.0

Description

A Stored Cross Site Scripting attack occurs when a malicious script is injected directly into a vulnerable web application. Every time the infected page is viewed, the malicious script is transmitted to the victim’s browser.

In Peel Shopping 9.4.0, a user supplied polyglot payload in the "Address" field of the "Change my credentials" form (change_params.php) is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.

Proof of Concept

  1. Log in to your account

  2. Navigate to the "Change my credentials" page (http://localhost/peel_9_4_0/utilisateurs/change_params.php)

  3. Paste the below payload in the "Address" field

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
  1. Click on "Change"

  2. You will now get an alert box indicating that the malicious script has executed.

References

You can refer to this repository for reference: https://github.com/vulf/Peel-Shopping-cart-9.4.0-Stored-XSS
You can find the Proof of Concept video at https://drive.google.com/file/d/1cngTLXe3Nf2tHozcYmvnxFRbK6_VWHkL/view?usp=sharing

References for Mitigation Vulnerability

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

@zerodaywolf
Copy link
Author

zerodaywolf commented Oct 28, 2021

Fix

I believe you can fix this issue by using the str_form_value filter in the Smarty/Twig template file, user_change_params_form.tpl, like so

@@ -146,7 +146,7 @@
 {/if}
        <div class="enregistrement">
                <span class="enregistrementgauche"><label for="adresse">{$STR_ADDRESS}{if !empty($mandatory.adresse)} <span class="etoile">*</span>{/if}{$STR_BEFORE_TWO_POINTS}:</label></span>
-               <span class="enregistrementdroite"><input class="form-control" name="adresse" id="adresse" value="{$adresse|html_entity_decode_if_needed}" {$content_rows_info} /></span>{$adresse_error}
+               <span class="enregistrementdroite"><input class="form-control" name="adresse" id="adresse" value="{$adresse|html_entity_decode_if_needed|str_form_value}" {$content_rows_info} /></span>{$adresse_error}
        </div>
        {foreach $specific_fields as $f}
                {if $f.field_position=='adresse'}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant