Skip to content

Stored Cross Site Scripting - (Authenticated) on Opencart Admin Dashboard #7810

Closed
@corrupted-brain

Description

@corrupted-brain

What version of OpenCart are you reporting this for?
Opencart 3.0.3.2
Describe the bug
Stored Cross Site Scripting (XSS) - Authenticated is found in users image upload section in opencart admin panel. Opencart is accepting filenames with arbitrary code in it and not escaping them so the JavaScript get executed. Malicious script in the admin dashboard can be injected permanently and can be used to steal the user’s sensitive information like cookies, keystrokes, account information etc

To Reproduce
Steps to reproduce the behavior:

  1. Go to localhost.com/opencart/admin and login with credentials.

  2. Then navigate to System>Users>Users and click on Action button on top right corner.
    Screenshot from 2020-01-09 09-46-46

  3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image.

  4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.
    Screenshot from 2020-01-09 09-58-24

Expected behavior
Escaping and sanitation of HTML tags/ Special characters before storing or processing them, so that the code does not executes. Although XSS was strictly filtered on other sections, here we were able to execute it because of filename so filenames, file extensions and headers should be analyzed to prevent XSS and other file upload vulnerabilities.

Screenshots / Screen recordings

opencart stored XSS.zip

Server / Test environment (please complete the following information):

  • Kali Linux 4.19.0
  • PHP version: 7.1.32
  • Apache version: 2.4.41
  • Browser(s) tested with: Mozilla Firefox Latest Build

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.0.x.xAffects the 3.0.x.x maintenance version

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions