| Titolo | detronetdip E-commerce 1.0 Cross-Site Scripting (XSS) |
|---|
| Descrizione | Severity: HIGH (7.6)
CVSS Vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N`
Bug Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The application contains a Stored Cross-Site Scripting (XSS) vulnerability due to insufficient input sanitization in the core utility functions. The function intended to clean inputs, `get_safe_value()`, only employs `mysqli_real_escape_string`. This function escapes characters for SQL queries (preventing SQL Injection) but does **not** encode HTML entities (such as `<` and `>`).
An attacker can use the previously identified IDOR vulnerability to inject malicious JavaScript payloads into product fields (such as `product_name` or `description`). This payload is stored in the database. When an administrator views the product list or approves products in the backend dashboard, the malicious script executes within the administrator's browser session.
Vulnerable Files:
- Root Cause: `utility/function.php` (Insecure `get_safe_value` function)
- Injection Point: `seller/assets/backend/product/updateproduct.php`
Vulnerable Code Analysis
- File: `utility/function.php`
function get_safe_value($con, $str)
{
if ($str != '') {
$str = trim($str);
// FLAW: Only protects against SQL Injection.
// Does NOT protect against XSS (e.g., does not use htmlspecialchars).
return mysqli_real_escape_string($con, $str);
}
}
Exploit Proof of Concept (PoC)
- Exploit Command:
The attacker injects a JavaScript payload designed to alert a message (or steal cookies) into the Product Name field.
curl -X POST \
-H "Cookie: PHPSESSID=[Session_ID]" \
-d "id=10" \
-d "name=<script>alert('XSS_ADMIN_TAKEOVER')</script>" \
-d "price=1000" \
-d "sellprice=1" \
-d "quantity=10" \
"http://localhost:3000/seller/assets/backend/product/updateproduct.php"
- Execution Scenario:
1. Attacker executes the curl command.
2. Database stores `Product Name` as `<script>alert('XSS_ADMIN_TAKEOVER')</script>`.
3. Administrator logs in and visits the "Product Approval" page.
4. The browser renders the product list, encounters the `<script>` tag, and executes the alert.
Impact:
- Session Hijacking:** Attackers can inject scripts to steal the Administrator's `PHPSESSID` cookies (`document.cookie`), allowing full account takeover.
- Persistent Malware:** The script executes every time the affected page is loaded, potentially re-infecting the admin or other users repeatedly.
- Phishing/Defacement:** Attackers can rewrite the page content (DOM) to display fake login forms or misleading information.
Remediation Recommendations:
- Implement Output Encoding (XSS Fix)
To mitigate XSS, data must be sanitized before being output to the browser:
- Update `get_safe_value`: While this function handles SQL injection, a separate step is needed for output.
- Output Encoding: When displaying data in HTML (e.g., in the Admin dashboard), always wrap variables in `htmlspecialchars()`.
- Vulnerable: `echo $row['product_name'];`
- Secure: `echo htmlspecialchars($row['product_name'], ENT_QUOTES, 'UTF-8');` |
|---|
| Fonte | ⚠️ https://github.com/Nixon-H/PHP-Stored-XSS-Bypass-Real-Escape |
|---|
| Utente | Nixon-H (UID 95173) |
|---|
| Sottomissione | 07/02/2026 18:58 (4 mesi fa) |
|---|
| Moderazione | 18/02/2026 15:10 (11 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 346487 [detronetdip E-commerce 1.0.0 utility/function.php get_safe_value cross site scripting] |
|---|
| Punti | 20 |
|---|