BigCommerce - Hosted Ecommerce Software by Interspire

Interspire Forum

 
Go Back   Interspire Forum > Interspire Email Marketer Community Forum > Customization and Integration

Reply
 
Thread Tools Display Modes
  #1  
Old 04-28-2017, 09:36 PM
mrquality5 + mrquality5 is offline
Interspire Customer
 
Join Date: Jul 2013
Posts: 27
Default IEM XSS vulnerability

Hi folks,

Wanted to let you all know that IEM, even the current version 6.1.7, has an XSS (cross-site scripting) vulnerability that could allow anyone to use your IEM site's install as a way to do malicious things like trick people into downloading malware, ransomware, etc.

Unfortunately my attempts to display actual example code of this in this forum editor actually are causing the issue, so I can't paste it in without breaking it apart. But if you make a URL from your base IEM installation and add in "?page=>" you can then add code to run some JavaScript code in the URL itself.

http://yourIEMdomainhere.com/admin/index.php?page=">
+
an opening bracket "<"
+
some JS code to do something
+
a closing bracket ">"

and you'll get a JavaScript pop up, but you shouldn't. This vulnerability allows someone to create a shortened link to your IEM site using something like Bitly and use it to trick unsuspecting users into downloading something bad without them even knowing.

This vulnerability does not put your IEM install data or control at risk, it means your IEM install can be used to exploit others. If you are not concerned about your IEM instance being used to exploit others, then ignore this posting.

I am fairly technical but not actually a programmer so I don't fully understand this vulnerability... but my colleagues who are told me that this stems from the fact that IEM is not properly quoting data entered by the user when reflecting it back to them. Specifically, it comes from the %%PAGE%% substitutions they are doing without quoting %%PAGE%%. This is present in a number of pages across the software, but the worst offenders are

admin/com/templates/login.tpl
admin/com/templates/forgotpassword.tpl

I reported it to IEM support and they mentioned they already had it in their internal bug tracker, so hopefully they fix it in a release coming soon. In the meantime if you want to fix yourself, comment out the culprit form tag and re-write it excluding the "%%PAGE%%" parameter. For example in "admin/com/templates/login.tpl"




Hopefully this helps anyone interested in ensuring their IEM install can't be used to maliciously exploit others.

Best,
Zach

Last edited by mrquality5; 04-28-2017 at 09:49 PM..
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump