Reflected Cross Site Scripting (XSS) Vulnerability in nopcommerce 3.70

From: tal argoni <talargoni@gmail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Reflected Cross Site Scripting (XSS) Vulnerability in nopcommerce 3.70
Date:


Security Advisory
CVE-ID: N/A
Topic:         Reflected Cross Site Scripting (XSS) Vulnerability in
"successful registration" page
Class:          Input Validation
Severity:       Medium
Discovery:      2016-04-28
Vendor Notification:        2016-04-28
Vendor response:        2016-05-30
Vendor Patch: 2016-05-31
Public Announced: 2016-08-15
Credits:        Tal Argoni, CEH from Triad Security [http://www.triadsec.com/]
Affects:        nopCommerce, open-source & free e-commerce solution 3.70
Resolved:       Version 3.8

I. Background
nopCommerce is open-source e-commerce shopping cart web application
written in MVC.NET. After
anonymous user successfully registered the application, the
application return the user a successful
registration page with "continue to the shop" button. The
redirection's parameter (returnurl) value is
supplied by the user and echo without output validation to the browser.

II. Problem Description
Reflected cross-site scripting vulnerabilities arise when data is
copied from a request and echoed into
the application's immediate response in an unsafe way. The injected
code is not stored within the
application itself; it is only impacts users who open a maliciously
crafted link or third-party web page.
The attack string is included as part of the crafted URI or HTTP
parameters, improperly processed by the
application, and returned to the victim.
Exploit code/POC:
http://VulnopCommerce/registerresult/1?returnurl=%2fcustomer%2finfo'%3balert("hacked+by+triad+s
ecurity")%3b%2f%2f

III. Impact
The attacker-supplied code can perform a wide variety of actions, such
as stealing the victim's session
token or login credentials, performing arbitrary actions on the
victim's behalf, and logging their
keystrokes.
IV. Workaround
You can work around this problem by doing the following:
1. It is recommended to use HTML-encoded at any point where it is
copied into application
responses.

V. Solution
Download vendor patch from http://www.nopcommerce.com .
Update to version 3.8

VI. References
http://www.triadsec.com/
https://www.linkedin.com/in/talargoni
https://github.com/nopSolutions/nopCommerce/commit/364091c16bae533a6c00c0f3bd920ed15da25f
77
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.