ShopXO 6.5.0 has a reflected XSS vulnerability #89
Description
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability exists in ShopXO 6.5.0, allowing attackers to inject arbitrary JavaScript via the lang parameter. The vulnerability occurs due to insufficient input sanitization in multilingual support functionality, where user-supplied input is directly embedded into JavaScript code without proper escaping.
Details
The lang parameter value is directly inserted into JavaScript code without proper escaping for single quotes (').
While the parameter is used to set a JavaScript variable, the lack of proper sanitization allows breaking out of the string context and injecting arbitrary code.
Vulnerable Code Locations:
app/index/view/default/public/header.html
app/admin/view/default/public/header.html
app/install/view/public/header.html
Vulnerable Code Snippet:
<script>
{{if !empty($lang_data)}}
{{foreach $lang_data as $k=>$v}}
{{if !empty($k) and isset($v) and !is_array($v)}}
var lang_<?php echo htmlentities((string) $k); ?> = '<?php echo htmlentities((string) $v); ?>';
{{/if}}
{{/foreach}}
{{/if}}
...
Proof of Concept (PoC)
http://target-ip/?lang=1%27;alert(234);var%20__test__=%271
Impact
Session Hijacking: Steal admin/user cookies via document.cookie.
Phishing Attacks: Inject fake login forms or redirect users.
Privilege Escalation: Modify admin settings if exploited in the backend.