search

advisto / peel-shopping

PEEL Shopping 9.0 : CMS ecommerce open source solution. Multilingual, multi-template engine Smarty or Twig, HTML 5, fast and reliable
http://www.peel-shopping.com
Other
4 stars 1 forks source link

Stored Cross site Scripting in "‘Address’" parameter (Peel Shopping 9.4.0) #4

Open zerodaywolf opened 3 years ago

zerodaywolf commented 3 years ago

CVE-2021-27190 updated

Vulnerability

Stored Cross Site Scripting (XSS) in the "Address" field of "http://localhost/peelshopping_9_4_0/utilisateurs/change_params.php"

Affects

Peel Shopping 9.4.0

Description

A Stored Cross Site Scripting attack occurs when a malicious script is injected directly into a vulnerable web application. Every time the infected page is viewed, the malicious script is transmitted to the victim’s browser.

In Peel Shopping 9.4.0, a user supplied polyglot payload in the "Address" field of the "Change my credentials" form (change_params.php) is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.

Proof of Concept

  1. Log in to your account

  2. Navigate to the "Change my credentials" page (http://localhost/peel_9_4_0/utilisateurs/change_params.php)

  3. Paste the below payload in the "Address" field

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

  1. Click on "Change"

  2. You will now get an alert box indicating that the malicious script has executed.

References

You can refer to this repository for reference: https://github.com/vulf/Peel-Shopping-cart-9.4.0-Stored-XSS You can find the Proof of Concept video at https://drive.google.com/file/d/1cngTLXe3Nf2tHozcYmvnxFRbK6_VWHkL/view?usp=sharing

References for Mitigation Vulnerability

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

zerodaywolf commented 3 years ago

Fix

I believe you can fix this issue by using the str_form_value filter in the Smarty/Twig template file, user_change_params_form.tpl, like so

@@ -146,7 +146,7 @@
 {/if}
        <div class="enregistrement">
                <span class="enregistrementgauche"><label for="adresse">{$STR_ADDRESS}{if !empty($mandatory.adresse)} <span class="etoile">*</span>{/if}{$STR_BEFORE_TWO_POINTS}:</label></span>
-               <span class="enregistrementdroite"><input class="form-control" name="adresse" id="adresse" value="{$adresse|html_entity_decode_if_needed}" {$content_rows_info} /></span>{$adresse_error}
+               <span class="enregistrementdroite"><input class="form-control" name="adresse" id="adresse" value="{$adresse|html_entity_decode_if_needed|str_form_value}" {$content_rows_info} /></span>{$adresse_error}
        </div>
        {foreach $specific_fields as $f}
                {if $f.field_position=='adresse'}