CVE-2021-27190 – PEEL Shopping, eCommerce shopping cart – Stored Cross-Site Scripting Vulnerability in ‘Address’

fs

CVE-2021-27190 – PEEL SHOPPING

CVE ID: CVE-2021-27190
Vulnerability Name: Stored Cross Site Scripting(XSS)
Product: Peel Shopping 
Affected Version: 9.3.0
Credits: Anmol K Sachan
Vendor Homepage :

https://www.peel.fr/

Software Link

https://www.peel.fr/nos-offres-1/peel-shopping-31.html
https://sourceforge.net/projects/peel-shopping/

Vulnerable Software Link

https://drive.google.com/file/d/1dIwRdaqtEyqUUgxbRqrHiS5WQ10nEG8z/view?usp=sharing

Software: :

PEEL SHOPPING 9.3.0

Vulnerability Type:

Stored Cross-site Scripting

Vulnerability

Stored XSS

Tested on Windows 10 XAMPP
CVE Assigned

CVE-2021-27190
This application is vulnerable to Stored XSS vulnerability.

Vulnerable script

http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php

Vulnerable parameters

‘Address’

Payload used

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

POC

https://drive.google.com/file/d/1t1hksDsYqYsqryRq61tNIQQMTCFidtc1/view
In the same page where we injected payload click on the text box to edit the address.
You will see your Javascript code (XSS) executed.

CVE Assigned

CVE-2021-27190
This application is vulnerable to Stored XSS vulnerability.

Current Description

A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 which is publically available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.

Impact

In Stored Cross Site Scripting, the malicious JavaScript payload is saved in database and is reflected back once the vulnerable web page is opened and it will always be triggered if the page is opened every time as it is saved in database.

Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application.

My Post (6)
Remediation, Solution
  • Escape all user Input and Output .
  • Escape All Special Characters .
  • Internet Explorer has an Attribute HTTP-Only that can be set for the cookies to prevent stealing of of cookies and avoids access to cookies by any script . This is Output Validation instead of input Validation .
  • Escape all untrusted data based on the Body ,  Attribute , Javascript , CSS and URL . 
  • White-List input validation is an excellent strategy for the prevention of XSS . Here we define a list of Allowed input by the user . Any input which is not as per the allowed white-list (which is just the allowed regular expressions) is not taken as an input and simply rejected .
  • Use of OWASP Auto-Sanitization library is highly recommended .
  •  To prevent XSS also use Anti-Sammy or Java HTML Sanitizer Project (also from OWASP)
  • Use OWASP Content Security Policy .
  • Output Validation is a must thing . Otherwise without proper escaping or validation it will be treated as an active content by the browser.
  • Build a good XSS Filter .
Building A Good XSS Filter

Keep in mind that no perfect XSS Filter can be made . XSS filter is just an added layer of protection . XSS filter will help to make our Application protected from vague attacks and script kiddies .

Basic Rules For XSS Filter 

  • Encode every data given by the user .
  • If the data is not via user and arrives by a GET request , encode this data too .
  • The Following data must be properly sanitized .
    1. URL
    2. HTTP Referrer Objects : HTTP Header Field that defines the address of the webpage associated with the resource requested .
    3. GET Parameters from a Form .
    4. POST Parameters from a Form .
    5. Windows.location : Javascript Object that can be used to get the address of the current webpage and also can be used to redirect to another web page .
    6. Doccument.Referrer : Returns the URL of the Document that loaded the current document .
    7. Document.Location : Contains the information about the current URL .
    8. Document.URL
    9. Document.URLENCODED
    10. Cookie Data
    11. All Headers Data
    12. DATABASE Data
Reference

https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27190

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.