#Title: SOTESHOP 6.1 - XSS & FPD #Date: 22.09.2013 #Tested on: Linux 2.4.X #Version: 6.1 (newest atm) #Vendor: sote.pl #Demo: giallo.demo.sote.pl #Contant: smash@devilteam.pl 1. Cross Site Scripting at user basket At first we need to add something to our basket, then we need to visit host/user_data/addBasketUser Example - giallo.demo.sote.pl/user_data/addBasketUser Fill form "Uwagi do zamwienia" (Attention to order) with </textarea><script>alert(666)</script> - voil&#224;! 2. Cross Site Scripting at product review Find some product then click on specific number of stars so you can rate it, example: http://giallo.demo.sote.pl/trampki-blue.html In "Recenzja" (which stands for review) write </em><script>alert(666)</script> - and there's an alert. 3. Cross Site Scripting in username Register an account on SOTESHOP, for example on sklep.tvp.pl and fill it with valid content. After registration complete go to sklep.tvp.pl/user/editAccount and go for "Zmie&#241; email (login)" which means to change your login. Just insert there <script>alert(666)</script> and you will earn persistent xss on every page. 4. Full Path Disclosure /stThumbnailPlugin.php?f=product&i[]=&t=icon&u= PoC: HOST/stThumbnailPlugin.php?f=product&i[]=&t=icon&u= HOST/stThumbnailPlugin.php?f=product&i[]=&t=icon&u=