Title: Cross-Site Scripting in HikaShop Joomla Component
CVE ID: CVE-2015-7344
CVSSv3 Base Score: 2.4 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)
Advisory Release Date: 15 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7344
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>
Hikashop's Plugin is vulnerable to Cross-site scripting (XSS) on update controller, inside the backoffice.
This XSS can only be exploited in the control panel, so it's not that critical.
Anyway, as you can see in the source code, there are three viariables that receive values from getString.
By looking at the documentation you can see that:
Fetches and returns a given filtered variable. The string filter deletes 'bad' HTML code, if not overridden by the mask. This is currently only a proxy function for getVar().
By "mask" they mean this:
TL;DR; "Converts the input to a plain text string; strips all tags / attributes."
So, you can't use tags like "><script>alert(1)</script> or "><img src=X onerror=alert(1)> but you can close the string with a "quote" and keep writing some html attributes.
To replicate this XSS you can use the following payload: "onmouseover%3d"alert('XSS')" (for example) in front of any of the three vulnerable parameters (field_id, field_type, field_namekey).
[caption id="attachment_501" align="alignnone" width="528"] GET Request[/caption]
[caption id="attachment_502" align="alignnone" width="795"] Response with injected payload[/caption]
The original url request is:
Below you can see an image of the XSS on one of those fields.
[caption id="attachment_499" align="alignnone" width="1024"] Browser output[/caption]