search

kirilkirkov / Ecommerce-CodeIgniter-Bootstrap

Responsive, Multi-Vendor, MultiLanguage Online Store Platform (shopping cart solution)
MIT License
1.28k stars 944 forks source link

Possible XSS vulnerabilities #242

Closed enferas closed 1 year ago

enferas commented 1 year ago

I would like to report for possible XSS vulnerabilities.

In file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\vendor\views\add_product.php

<?php foreach ($languages as $language) { ?>
<button type="button" data-locale-change="<?= $language->abbr ?>" class="btn btn-default locale-change text-uppercase <?= $language->abbr == MY_DEFAULT_LANGUAGE_ABBR ? 'active' : '' ?>">
    <img src="<?= base_url('attachments/lang_flags/' . $language->flag) ?>" alt="">
    <?= $language->abbr ?>
</button>
<?php } ?>
</div>
<?php
$i = 0;
foreach ($languages as $language) {
?>
<div class="locale-container locale-container-<?= $language->abbr ?>" <?= $language->abbr == MY_DEFAULT_LANGUAGE_ABBR ? 'style="display:block;"' : '' ?>>
<input type="hidden" name="translations[]" value="<?= $language->abbr ?>">
<div class="form-group">
    <img src="<?= base_url('attachments/lang_flags/' . $language->flag) ?>" alt="<?= $language->name ?>" class="language">
    <input type="text" name="title[]" placeholder="<?= lang('vendor_product_name') ?>" value="<?= $trans_load != null && isset($trans_load[$language->abbr]['title']) ? $trans_load[$language->abbr]['title'] : '' ?>" class="form-control">
</div> 
<label><?= lang('vendor_product_description') ?> <img src="<?= base_url('attachments/lang_flags/' . $language->flag) ?>" alt="<?= $language->name ?>"></label>
//...

$languages and $trans_load are loaded from the DB and not sanitized.

In file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\vendor\controllers\AddProduct.php

$data['languages'] = $this->Languages_model->getLanguages();
//...
$this->load->view('add_product', $data);

In file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\admin\models\Languages_model.php

public function getLanguages(){
    $query = $this->db->query('SELECT * FROM languages');
    return $query->result();
}

public function setLanguage($post){
    $post['name'] = strtolower($post['name']);
    $post['abbr'] = strtolower($post['abbr']);
    if (!$this->db->insert('languages', $post)) {
        log_message('error', print_r($this->db->error(), true));
        show_error(lang('database_error'));
    }
}

The setLanguage method is called in file Ecommerce-CodeIgniter-Bootstrap-master\application\modules\admin\controllers\advanced_settings\Languages.php

$this->Languages_model->setLanguage($_POST);

There are other similar vulnerabilities that I can provide them if you confirm my report.

kirilkirkov commented 1 year ago

@enferas Thank you, i have fixed mentioned vulnerabilities with this commit - https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/d5904379ca55014c5df34c67deda982c73dc7fe5

kirilkirkov commented 1 year ago

You can make a pull request with fixes, then i will check them and merge if you wants

enferas commented 1 year ago

Thank you for your response.

Here is the pull request https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/pull/243