← Advisories

Zen Cart v1.3.9f Multiple Remote Vulnerabilities

Medium

Advisory ID

ZSL-2010-4966

Release Date

01 October 2010

Vendor

Zen Ventures, LLC - http://www.zen-cart.com

Affected Version

1.3.9f

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), PHP 5.3.0, MySQL 5.1.36, Apache 2.2.11 (Win32)

Summary

Zen Cart is an online store management system. It is PHP-based, using a MySQL database and HTML components. Support is provided for numerous languages and currencies, and it is freely available under the GNU GPL.

Description

Zen Cart v1.3.9f suffers from a persistent cross-site scripting (XSS) and SQL injection vulnerability. The SQLi issue lies in "option_name_manager.php" script in the "option_order_by" parameter thru the admin UI (post-auth). Input is not sanitized resulting in compromising the db system.

The stored/persistent XSS issue lies pretty much everywhere in the admin panel when editing and inserting strings in different categories. Ex:

- In Admin UI go to http://127.0.0.1/admin/record_company.php or Extras > Record Companies and click "insert". Fill out the 1st or 3rd or 4th field or all of them, with the string: "<script>alert("xss")</script>" and click save. Now...every time when you go back to that page it will execute the code for every field.

Proof of Concept

zencart_xsssql.txtTXT

Disclosure Timeline

19.08.2010Vulnerability discovered.

22.08.2010Vendor contacted.

22.08.2010Vendor responds asking more details.

23.08.2010Sent PoC files to vendor.

25.08.2010Vendor confirms vulnerability.

02.09.2010Asked vendor for patch release date.

08.09.2010Vendor states approximately 7 days to patch release.

20.09.2010Asked vendor for status.

24.09.2010Asked vendor for status again because of no reply from previous mail.