1. Vulnerability Properties
Title: Cross-Site Scripting in HikaShop Joomla Component
CVE ID: CVE-2015-7344
CVSSv3 Base Score: 2.4 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)
Advisory Release Date: 15 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7344
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>
2. Vulnerability Summary
Hikashop's Plugin is vulnerable to Cross-site scripting (XSS) on update controller, inside the backoffice.
3. Technical Details
This XSS can only be exploited in the control panel, so it's not that critical.
Anyway, as you can see in the source code, there are three viariables that receive values from getString.
By looking at the documentation you can see that:
Fetches and returns a given filtered variable. The string filter deletes 'bad' HTML code, if not overridden by the mask. This is currently only a proxy function for getVar().
By "mask" they mean this:
TL;DR; "Converts the input to a plain text string; strips all tags / attributes."
So, you can't use tags like "><script>alert(1)</script> or "><img src=X onerror=alert(1)> but you can close the string with a "quote" and keep writing some html attributes.
To replicate this XSS you can use the following payload: "onmouseover%3d"alert('XSS')" (for example) in front of any of the three vulnerable parameters (field_id, field_type, field_namekey).
The original url request is:
Below you can see an image of the XSS on one of those fields.
4. Vulnerable Versions
- Update to Hikashop 2.6.0
6. Vulnerability Timeline
- September 01, 2015 — Bug reported to Hikashop
- September 01, 2015 — Hikashop’s team replied asking for more info.
- September 24, 2015 — Bug fixed
- October 15, 2015 — Public disclosure