Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-8292: Larry Cashdollar Vulnerability

Online Store System v1.0 delete_product.php doesn’t check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion.

CVE
Open in Source
#xss#vulnerability#js#php#auth

Advisory #: 210

Title: Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions.

Author: Larry W. Cashdollar

Date: 2019-09-18

CVE-ID:[CVE-2019-8288][CVE-2019-8289][CVE-2019-8290][CVE-2019-8291][CVE-2019-8292]

CWE:

Download Site: https://www.abcprintf.com/view_download.php?id=17

Vendor: adcprintf

Vendor Notified: 2019-09-18

Vendor Contact: [email protected]

Advisory: http://www.vapidlabs.com/advisory.php?v=210

Description: “Online store system” is a drop in customizable electronic storefront. It has an administrative interface allowing user and product management.

Vulnerability:

The application contains stored XSS vulnerabilities throughout the form user_view.php pages as none of the variables are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing code into their login information form and waiting for an administrative user to navigate to the users panel. CVE-2019-8288 159 echo '<td>’.$row[‘adidas_member_user’].’</td>’; CVE-2019-8289 160 echo '<td>’. $row[‘adidas_member_email’] . '</td>’; CVE-2019-8290 The registration form requirements for the member email format can be bypassed by posting directly to sent_register.php allowing special characters to be included and an XSS payload to be injected. CVE-2019-8291 The code in delete_file.php doesn’t check to see if a user has administrative rights nor does it check for path traversal allowing a ‘…’ to delete arbitrary files owned by the httpd process. CVE-2019-8292 The code in delete_product.php doesn’t check to see if a user has administrative rights before allowing them to delete a product from the database.

Export: JSON TEXT XML

Exploit Code:

  1. Set login name or email to "><script>alert(1);</script>

  2. $ curl -s cookie.txt -X POST -d “username=jsmith&password=jsmith123&email=\"><script>alert(1);</script>%40email.com” http://example.com/pso/sent_register.php

  1. $ curl -s cookie.txt “http://example.com/pso/admin/delete_file.php?id=0&filename=…/women.php”
  1. $ curl -s cookie.txt http://example.com/pso/admin/product_delete.php?id=4

Screen Shots:

Notes:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE