Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <E37AAD4E-43F8-493A-AEEC-9FAE1A3D8E66@me.com>
Date: Wed, 02 Oct 2019 06:42:19 -0400
From: Akamai <larry0@...com>
To: Open Security <oss-security@...ts.openwall.com>
Subject: Multiple vulnerabilities in Online store system v1.0 Stored XSS and
 unauthenticated product deletions.

Title: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions.
Author: Larry W. Cashdollar @_larry0
Date: 2019-09-18
CVE-IDs: CVE-2019-8288 CVE-2019-8289 CVE-2019-8290 CVE-2019-8291
Download Site: https://www.abcprintf.com/view_download.php?id=17
Vendor: adcprintf
Vendor Notified: 2019-09-18
Vendor Contact: abcprintf@...il.com
Advisory: http://www.vapidlabs.com/advisory.php?v=210
Description: "Online store system" is a drop in customizable electronic store front. It has an administrative interface allowing user and product management. 
Vulnerability:
The application contains stored XSS vulnerabilities throughout the form page user_view.php  as none of the variables are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing code into their login information form and waiting for an administrative user to navigate to the users panel. 

CVE-2019-8288 
159  echo '<td>'.$row['adidas_member_user'].'</td>'; 
CVE-2019-8289 
160 echo '<td>'. $row['adidas_member_email'] . '</td>';
 CVE-2019-8290 The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected. 
CVE-2019-8291 The code in delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal allowing a '..' to delete arbitrary files owned by the httpd process. 
CVE-2019-8292 The code in delete_product.php doesn't check to see if a user has administrative rights before allowing them to delete a product from the database.
Exploit Code:
1. Set login name or email to "><script>alert(1);</script>
2. $ curl -s cookie.txt -X POST -d "username=jsmith&password=jsmith123&email=\"><script>alert(1);</script>%40email.com" http://example.com/pso/sent_register.php
3.  
4.  
5. $ curl -s cookie.txt "http://example.com/pso/admin/delete_file.php?id=0&filename=../women.php"
6.  
7. $ curl -s cookie.txt http://example.com/pso/admin/product_delete.php?id=4

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.